ARCHIVED—Scope and Nature of the Principles

Principles for Electronic Authentication
A Canadian Framework
May 2004

---

These Principles relate to the authentication of electronic communications in its broadest sense.

The Principles are intended to apply to authentication processes used in connection with electronic communications that take place between businesses or governments and other organizations, between organizations and individuals (consumers or citizens), and between individuals.

A range of relationships can exist between authenticators and end users, and among end users. Many of these relationships are governed by agreements. The Principles are intended to guide the development of these agreements and to apply to the full range of these relationships.

Parties to negotiated contracts are usually best able to determine which terms and conditions suit their particular needs. However, in situations in which a party may not have the opportunity to negotiate the terms of their interaction with the other party (or parties) to the transaction, the Principles are of particular importance.

The Principles should be considered and applied as a unified whole.

The provisions in the various Principles are interrelated and interdependent; they cannot achieve their purposes if they are implemented selectively, although not all Principles may apply in all cases. Those applying the Principles to define or implement authentication processes are encouraged to exceed the benchmarks that the Principles establish and to expand upon them to address the requirements of their particular security environment or application.

The Principles are expressed at a high level of generality and technological neutrality.

Canadians can choose from a variety of technologies to authenticate their electronic communications, according to the nature of the particular communication and the requirements of the participants.

The implementation of authentication processes also differs, depending on the business or legal objectives to be met, as well as the characteristics of the environment in which the electronic communication takes place, such as security and privacy needs and other legislative or regulatory obligations. These factors define the functionality required of an authentication process and, in some cases, even the type of authentication used.

The Principles are designed to foster a well-functioning, fair and competitive marketplace for authentication products and services.

Authentication processes should be effective, efficient, reliable and easy-to-use, and should respect the interests of individuals and organizations. Whenever possible, the Principles accommodate choice of technology, services and solutions, choice of the degree of reliance by end users, and choice of tools used to ensure compliance.

The Principles emphasize proportionality.

The degree of responsibility and risk that each participant in the authentication process assumes should be in proportion to the degree of knowledge and control that the participant can reasonably be expected to have and to exercise, as well as to the nature and value of the electronic communication itself. Since participants can perform multiple functions in varying combinations, the degree of responsibility and risk assumed by any one participant may vary, depending on these functions.

The Principles emphasize data privacy.

The Principles recognize the existing and evolving legal framework for the protection of the privacy of personal information in Canada, and address how privacy protection standards apply to authentication. The Principles address the intersection of privacy-respecting and security-enhancing practices. The importance of privacy to Canadians requires those who design and implement authentication measures to consider how their systems can best respect privacy at every stage of the process.

The Principles have been developed to ensure compatibility with international developments in authentication.

Canada is committed to continued involvement in various international fora addressing the need for global frameworks for authentication. This participation ensures that Canada's approach is in step with that of other jurisdictions, enabling Canadian industry to be competitive in the international marketplace.