ARCHIVED—About the Principles
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
Principles for Electronic Authentication
A Canadian Framework
Concepts and Terminology
The subject of the Principles is the authentication of electronic communications in its broadest sense. Therefore, the concepts and terms used in this document relate to all participants, actions and techniques comprising all aspects of authentication, whether considered from the technical, legal or business perspective. Each concept or term relates to the others; none should be considered in isolation.
For the purposes of the Principles, the authentication process is viewed as encompassing six functions. Their relative importance depends on the purpose and structure of the authentication process.
Administering the measure or measures designed to confirm the attributes of a participant and those designed to support the credibility of a participant's claim to possess those attributes and thereby be authenticated.
Establishing or selecting an authentication process and delivery mechanism.
Originating or receiving an authenticated electronic communication and relying on the authentication of the attributes.
Establishing standards that support the continued development of processes designed to facilitate authentication of electronic communications.
Observing and making informed evaluations of the practices associated with authentication to ensure that appropriate policies, procedures and standards are being followed.
Providing the capability that enables authentication, including functions to authenticate identity or the integrity of electronic communications.
The Authentication Principles Working Group considered existing definitions, particularly those created by international standards groups such as the International Organization for Standardization (ISO), when developing the Principles. However, the broad scope of the Principles resulted in definitions that may not correspond to similar terms used by specific communities.2
A process that attests to the attributes of participants in an electronic communication or to the integrity of the communication.
Information concerning the identity, privileges or rights of a participant or other authenticated entity.
An individual or organization participating in an authentication process, whether directly or through another authenticated entity, such as a data service or object, hardware device or software program.
An electronic transmission, message or transaction.
Assurance that the information in an electronic communication has not been modified or corrupted during the process of communication.
Authentication is intended to promote trust in electronic communication. Participants in an electronic communication are provided with assurance that other participants have been authenticated using technological methods, and that those other participants, as well as the integrity of the communication itself, can be trusted to the degree specified by the authenticator (the designated authority that confirms the attributes of a participant or entity and then attests to them to other participants in the electronic communication). Participants rely on the authentication of an electronic communication to the extent that they can assess the reliability of the authentication. The technological methods and specifications used for authentication are often based on cryptographic techniques.
The act of authentication depends on some prior activity that authorizes participants, based on their presentation of certain specified attributes, to enter into an authenticated electronic communication. A participant's attributes may relate to a person's identity. As an alternative, the required attributes may identify the person's rights or privileges to enter into the electronic communication. In the latter case, a participant may not need to be identified personally to other participants.
Authentication processes frequently attest to the attributes of non-human entities. For example, an organization participating in an authentication process may choose to authenticate a server. In this case, the server's attributes may relate to the privileges it has been assigned to communicate with other servers or clients on the system.
Authorization is the responsibility of a designated authority. Many models are available for carrying out such authorization. For example, a simple exchange of information may require as authorization only the presentation of user identification and a password. An electronic system established to communicate highly confidential and private information may, by contrast, require in-person presentation of two or more pieces of reliable identification combined with unique personal characteristics, such as fingerprints. Yet another model designates an employer as the authority, who then authorizes a group of employees to engage in electronic communications on its behalf on the basis of individuals' job functions.
2 For example, the definition of authentication encompasses "message authentication", which is commonly understood to refer to processes applied to ensure message integrity. Furthermore, a term that is not defined or used in connection with the Principles is non-repudiation. The term is commonly used to describe a technical standard to be met by an authentication process. However, the term is misleading in a more general context because it incorrectly implies a conclusion of law.
- Date modified: