On July 1, 2009, the Policy for Public Key Infrastructure Management in the Government of Canada (PKI Policy) was rescinded. This guideline is intended to help departments and program managers understand how the responsibilities and practices which were established by the PKI Policy are governed under the requirements of the Policy on Government Security (PGS).
The guideline describes recommended practices for the governance and management of Public Key Infrastructure (PKI) within the Government of Canada (GC) and provides operational guidance. This guideline does not include technical advice, guidance or requirements on the implementation of public key technology by GC departments and agencies.
The PKI Policy was established to implement the position of the GC that public key technology would be the preferred means by which the GC would electronically authenticate the identity of entities or persons and enhance the integrity and confidentiality of documents.
As part of the renewed policy suite initiative, the PKI Policy was rescinded to align responsibilities and accountabilities for secure electronic transactions under the PGS and its supporting instruments. This will ensure a consistent approach to supporting the secure electronic business of government. It enables options for electronic authentication, which should permit the GC to achieve security and identity outcomes while also providing the flexibility for departments and agencies to utilise technologies best suited to their specific business requirements.
Whereas the PKI Policy previously promoted the use of public key technology, the PGS and its supporting instruments are intended to be technology neutral. In order to achieve the GC's desired security outcomes of assuring that information, assets, services and interactions are protected against compromise, the PGS, the Directive on Departmental Security Management (DDSM) and the Directive on Identity Management (DIDM) outline the GC-wide requirements for establishing risk management-based processes by which departments and agencies can effectively address their security and identity risks.
Standards and guidelines that support the PGS and its directives serve to promote common and/or best practices across the GC, but do not seek to prescribe the specific method, solution, tool or technology that departments and agencies are required to employ in order to meet security control objectives. As a result, departments now have greater discretion in selecting technologies that best meet their needs; PKI is one of the available options.
This section identifies, at a high level, the federal electronic signature and electronic documents legislation. This is a non-exhaustive list. Departments should consult their departmental legal services unit to determine which, if any, legislation applies to their specific uses.
Part 2 of the Personal Information Protection and Electronic Documents Act (PIPEDA) provides an opt-in framework that describes electronic alternatives to the use of paper to record or communicate information or transactions, where the use of paper is contemplated by statutes or regulations (e.g. when a federal law refers to "originals", "statements under oath", "solemn affirmation", "declarations of truth, or accuracy or completeness", "documents under seal" and "witnessed documents").
Section 31.4 of the Canada Evidence Act (CEA) provides the Governor in Council with a power to make regulations establishing evidentiary presumptions in relation to electronic documents signed with secure electronic signatures.
The Secure Electronic Signature Regulations (SES Regulations) adopted pursuant to PIPEDA and the CEA prescribe the technology and process required for the implementation of secure electronic signatures and establish the evidentiary presumptions applicable when the prescribed technology and process were used in respect of data contained in an electronic document.
Additional information on secure electronic signatures can be found under the "Recognition" section of these guidelines.
This section identifies and describes applicable policies, directives and standards that should be consulted by departments in deciding whether to implement a PKI to meet their needs. Relevant sections of these documents have been quoted for ease of reference; however it is recommended that readers consult the original documents for full context.
The PGS identifies, at a high level, the need for establishing trust in interactions for government services and programs without prescribing the mechanisms for doing so:
Security begins by establishing trust in interactions between government and Canadians and within government.[1]
Appendix C of the DDSM provides the direction that departments have the responsibility for selecting appropriate security controls to meet their needs:
Departments are responsible for selecting, implementing, monitoring and maintaining sustainable security controls to achieve the security control objectives. Security controls may be administrative, managerial, operational, technical or procedural. Mandatory and recommended security controls are specified in standards and guidelines that support the Policy on Government Security. Additional security controls and control objectives are selected and implemented by departments based on the results of risk assessments.[2]
The DDSM goes into greater specificity on the responsibilities for selecting security controls and assessing and accepting residual risk levels for programs and services. The DDSM states that departmental security practitioners are responsible for:
Selecting, implementing and maintaining security controls related to their area of responsibility to ensure that control objectives are achieved.[3]
Additionally, according to the DDSM, managers at all levels are responsible for:
Assessing security risks, formally accepting residual risks or recommending acceptance of residual risks as defined in the Departmental Security Plan and periodically reassessing and re-evaluating risks in light of changes to programs, activities or services and taking corrective action to address identified deficiencies;[4]
The Operational Security Standard: Management of IT Security (MITS) expands on this responsibility for program and service delivery managers within the realm of IT security:
In designing programs and services, managers will work with departmental security specialists to risk manage their programs or services. Relying on the advice and support of the IT Security Coordinator, managers must determine the IT security requirements of their programs and services, have them accredited, and accept the associated residual risk.[5]
MITS further specifies responsibilities for certification and accreditation of IT systems in the GC:
For common systems or services, the Government of Canada Chief Information Officer is the accreditation authority. For systems or services that are specific to a department, the program or service delivery manager is responsible for accreditation. For systems or services shared by two or more organizations, the manager of the program or service is the accreditation authority.[6]
These responsibilities are applicable to the certification and accreditation of PKI systems in the GC. As a result, the responsible program or service delivery manager should ensure (with the assistance of the department's security practitioners) that any policies, processes, or technologies implemented to provide assurance in the PKI system are appropriate and sufficient when making their decision to accredit the system.
While previously the governance and management of PKI within the GC was specifically defined by the mechanisms prescribed within the PKI Policy, PKI is managed in accordance with the requirements of the PGS and supporting GC security directives and standards (particularly MITS). As a result of rescinding the PKI Policy, departments who select PKI as an appropriate security control should find that they have more flexibility in how they manage their PKI.
Within the GC, a common CA issues public key certificates (PKC) on behalf of other departments or external users. The Internal Credential Management (ICM) Common Services CA, operated by PWGSC on behalf of Treasury Board Secretariat (TBS), is the approved common CA for departments requiring PKI certificates for internal-to-government systems which contain information up to and including the "Protected B" level. Departments should consult the Common Services Policy and the Departmental Guide to Adoption of Secure Channel Mandatory Services to identify mandatory uses of this service. The ICM Common Services CA has been recognized by the President of the Treasury Board in accordance with the SES Regulations.
PWGSC also operates the Government On-Line (GOL) CA service on behalf of TBS, for the issuance of certificates to external-to-government users. The GOL CA is approved for uses up to and including the "Protected B" level of information.
Departments should contact their PWGSC client-services representative to discuss their objectives and to identify whether these common CAs can help to address the department's needs. Where a departmental requirement exists for a common CA that cannot be met by the ICM Common Services CA, TBS should be contacted at the earliest possible opportunity to identify the requirement and to specify why the ICM Common Services CA is not sufficient. Based on this information, a way forward will be identified, as will roles and responsibilities for certification and accreditation of the system. A common CA should cross-certify through the Canadian Federal PKI Bridge where practicable (see sections 3.1.3 and 3.2 below).
Departments or program managers wishing to establish a common CA should:
A Departmental CA is used by a department to meet an internal requirement for which the GC ICM Common Services CA is not mandatory (see the previous section on Common CA) and for which the ICM Common Services CA cannot adequately meet the department's needs.
For a Departmental CA, the department should ensure that proper risk management has been performed on the system. As per MITS, the program or service delivery manager at that department is responsible for accrediting the system. Departments have the flexibility to develop security requirements for Departmental CAs within their risk tolerances. It is recommended that industry best practices be followed in the definition of security requirements. It is also recommended that departments align their Certificate Policies (CP) and practices with those used by the Canadian Federal PKI Bridge where practicable and appropriate (see section 3.1.3 below).
Examples of a Departmental CA may include:
It is recommended that departments or program managers establishing a Departmental CA:
A Bridge CA (or PKI Bridge) is a CA which is used to establish a relationship of trust between separate and distinct PKI systems. The trust relationship is created through a process of cross-certification between different CAs.
Within the GC, the Canadian Federal PKI Bridge (CFPB) is the approved Bridge CA. It is operated by CSEC on behalf of TBS.
Cross-certification is a process undertaken by CAs to establish a trust relationship. It involves one CA issuing a certificate to another CA. Cross-certifications can also be combined, with the issuer and subject or user roles of CAs being reversed (i.e. mutual cross-certification). When two CAs are mutually cross-certified, they agree to trust and rely upon each other's PKC and keys as if they had issued the certificates themselves. GC departments with a requirement to cross-certify their CA with another CA outside of their organization should do so through the Canadian Federal PKI Bridge; this includes cross-certifications between GC CAs and external to GC CAs.
The President of the Treasury Board, pursuant to authority provided by Order in Council, may enter into or terminate an agreement for cross-certification or recognition of a CA including those outside of the GC. The President of the Treasury Board has delegated this authority to the Government of Canada Chief Information Officer.
Overview of the Cross-Certification Process:
Please contact the Security and Identity Management Division of CIOB at the coordinates indicated in the "Enquiries" section of this Guideline for more detailed information on the cross-certification process or to identify a requirement for cross-certification.
Recognition of a CA relates to the formal requirements to satisfy the need for a secure electronic signature as identified within Part 2 of PIPEDA. Pursuant to the SES Regulations, the President of the Treasury Board has the authority to recognize an entity or person as a CA. In accordance with the SES Regulations, prior to recognizing a CA, the President of the Treasury Board must be satisfied that the person or entity has the capacity to issue digital signature certificates in a secure and reliable manner, as set out by paragraphs 48(2)(a) to (d) of PIPEDA. Specifically, these provisions require that:
The circumstances in which departments will require recognition of their CA by the President of the Treasury Board are very limited. Prior to initiating a request with TBS for recognition of their CA, departments should ascertain their needs with regard to a program or transaction. Departments should also consult with their departmental legal services unit to determine whether there are impediments to proceeding electronically and, if there are not, whether a secure electronic signature under PIPEDA and the SES Regulations is required or whether another form of electronic signature may suffice.
In general, PIPEDA allows a department that is bound under its legislation to process signed paper documents, but that wishes to implement electronic documents in their place, to use secure electronic signatures. A secure electronic signature also allows certain evidentiary presumptions established by the SES Regulations under the CEA. In order to use secure electronic signatures and benefit from the associated presumptions, the department must first have its legislation added to the list in Schedule 2 or 3 of PIPEDAand must then comply with the SES Regulations which includes having the President of the Treasury Board recognize the CA issuing the signing keys. The regulations specify that CAs recognized as being capable of creating secure electronic signatures are to be listed on the TBS website. At this time, only federal government CAs that have cross-certified with the Canadian Federal PKI Bridge are eligible to be recognized.
Where a department has opted into the PIPEDA scheme described above, secure electronic signatures will have to be used for electronic documents where:
The following high-level steps are performed in order to recognize a CA in the context of the SES Regulations:
Please contact the Security and Identity Management Division of CIOB at the coordinates indicated in the "Enquiries" section of this Guideline for details on having a CA recognized.
Departments or program managers choosing to use public key technology as a means of protecting the confidentiality of information or electronically authenticating the identity of individuals and/or documents should:
This section discusses the roles, responsibilities and services of lead agencies in support PKI management.
TBS sets government-wide direction, prioritizing and formalizing security and identity management requirements. This includes:
CSEC provides leadership and coordination for departmental activities that help ensure the protection of electronic information. This includes:
PWGSC delivers common IT services and other solutions that enable departments to exchange information with citizens, businesses and employees. This includes:
For enquiries regarding this policy instrument, please contact the Security and Identity Management Division.