ARCHIVED—About the Principles

Principles for Electronic Authentication
A Canadian Framework
May 2004

---

Concepts and Terminology

The subject of the Principles is the authentication of electronic communications in its broadest sense. Therefore, the concepts and terms used in this document relate to all participants, actions and techniques comprising all aspects of authentication, whether considered from the technical, legal or business perspective. Each concept or term relates to the others; none should be considered in isolation.

Functions

For the purposes of the Principles, the authentication process is viewed as encompassing six functions. Their relative importance depends on the purpose and structure of the authentication process.

Authentication Administration

Administering the measure or measures designed to confirm the attributes of a participant and those designed to support the credibility of a participant's claim to possess those attributes and thereby be authenticated.

Specification

Establishing or selecting an authentication process and delivery mechanism.

End Use

Originating or receiving an authenticated electronic communication and relying on the authentication of the attributes.

Standards Development

Establishing standards that support the continued development of processes designed to facilitate authentication of electronic communications.

Compliance Assessment

Observing and making informed evaluations of the practices associated with authentication to ensure that appropriate policies, procedures and standards are being followed.

Infrastructure Provision

Providing the capability that enables authentication, including functions to authenticate identity or the integrity of electronic communications.

Definitions

The Authentication Principles Working Group considered existing definitions, particularly those created by international standards groups such as the International Organization for Standardization (ISO), when developing the Principles. However, the broad scope of the Principles resulted in definitions that may not correspond to similar terms used by specific communities.²

Authentication

A process that attests to the attributes of participants in an electronic communication or to the integrity of the communication.

Attributes

Information concerning the identity, privileges or rights of a participant or other authenticated entity.

Participant

An individual or organization participating in an authentication process, whether directly or through another authenticated entity, such as a data service or object, hardware device or software program.

Electronic communication

An electronic transmission, message or transaction.

Integrity

Assurance that the information in an electronic communication has not been modified or corrupted during the process of communication.

Authentication is intended to promote trust in electronic communication. Participants in an electronic communication are provided with assurance that other participants have been authenticated using technological methods, and that those other participants, as well as the integrity of the communication itself, can be trusted to the degree specified by the authenticator (the designated authority that confirms the attributes of a participant or entity and then attests to them to other participants in the electronic communication). Participants rely on the authentication of an electronic communication to the extent that they can assess the reliability of the authentication. The technological methods and specifications used for authentication are often based on cryptographic techniques.

The act of authentication depends on some prior activity that authorizes participants, based on their presentation of certain specified attributes, to enter into an authenticated electronic communication. A participant's attributes may relate to a person's identity. As an alternative, the required attributes may identify the person's rights or privileges to enter into the electronic communication. In the latter case, a participant may not need to be identified personally to other participants.

Authentication processes frequently attest to the attributes of non-human entities. For example, an organization participating in an authentication process may choose to authenticate a server. In this case, the server's attributes may relate to the privileges it has been assigned to communicate with other servers or clients on the system.

Authorization is the responsibility of a designated authority. Many models are available for carrying out such authorization. For example, a simple exchange of information may require as authorization only the presentation of user identification and a password. An electronic system established to communicate highly confidential and private information may, by contrast, require in-person presentation of two or more pieces of reliable identification combined with unique personal characteristics, such as fingerprints. Yet another model designates an employer as the authority, who then authorizes a group of employees to engage in electronic communications on its behalf on the basis of individuals' job functions.

---

² For example, the definition of authentication encompasses "message authentication", which is commonly understood to refer to processes applied to ensure message integrity. Furthermore, a term that is not defined or used in connection with the Principles is non-repudiation. The term is commonly used to describe a technical standard to be met by an authentication process. However, the term is misleading in a more general context because it incorrectly implies a conclusion of law.