User-Centric Verifiable Digital Credentials

October 7, 2019

1. The closing date for this challenge has been extended to November 7 2019 at 14:00 ET.
2. Attachment 1 has been added. The document contains questions and answers related to the Challenge.
3. The Desired outcomes and Considerations have been amended as follows:

REMOVE:

Desired outcomes and Considerations

Essential (Mandatory) Outcomes

1. Create User-centric Verifiable Digital Credentials able to operate on a national or global interoperable verification platform
2. Protect the privacy and identity of the user at all times
3. Incorporate the following emerging and/or mature specifications for interoperability that have been funded, tested and/or championed by the United States of America Department of Homeland Security:

• Verifiable Credentials: Blockcerts and/or Hyperledger Project Indy
• Decentralized Identifiers (Standards Development Organizations: World Wide Web Consortium (W3C) or Decentralized Identity Foundation),
• Verifiable Credentials (Standards Development Organization - W3C); and
• JavaScript Object Notation for Linked Data / JSON-LD (Standards Development Organization - W3C).

4. Adhere to applicable policy instruments, guidelines and frameworks, including but not limited to:

• Requirements specified in the Treasury Board Directive on Identity Management; and
• Conformance Criteria specified in the Public Sector Profile of the Pan-Canadian Trust Framework.

Additional Outcomes

Proposed solutions should:

1. Give issuers and recipients ownership of their official records that can be cryptographically signed and presented anywhere to verify credential provenance and ownership.
2. Give issuers and recipients autonomy over how they use their records and verify digital credentials. For example, if issuers decide to switch vendors later on, they retain full access and use of their digital certificates.
3. Give relying trusted third parties the ability to verify any record independently, in independent fashion, for free and independent of any software vendor or issuing institution. Relying parties can easily verify any digital credential through widely available technology such as a web browser or a mobile phone. Verification is based on open and interoperable approaches.
4. Provide leading-edge digital credential security to enable the global trust economy that are cryptographically signed thus enabling third parties to verify their provenance and ownership.
5. Demonstrate the components of self-sovereign identity:

• decentralized and portable;
• demonstrated control of attributes; and
• independence from a centralized registry, identity provider, or certificate authority.

INSERT:

Desired outcomes and Considerations

Essential (Mandatory) Outcomes

Proposed solutions must:

1. Create User-centric Verifiable Digital Credentials able to operate on a national or global interoperable verification platform;
2. Protect the privacy and identity of the user at all times* (see note);
3. Incorporate the following emerging and/or mature specifications for interoperability that have been funded, tested and/or championed by the United States of America Department of Homeland Security:

• Decentralized Identifiers (Standards Development Organizations: World Wide Web Consortium (W3C) or Decentralized Identity Foundation),
• Verifiable Credentials (Standards Development Organization - W3C); and
• JavaScript Object Notation for Linked Data / JSON-LD (Standards Development Organization - W3C);

4. Demonstrate the feasibility of the specifications described above in support of creating, transmitting and storing verifiable digital credentials using wallet or agent reference implementations. These reference implementations may include but not are limited to: Blockcerts, Hyperledger Indy Aries

5. Adhere to applicable policy instruments, guidelines and frameworks, including but not limited to:

• Requirements specified in the Treasury Board Directive on Identity Management; and
• Conformance Criteria specified in the Public Sector Profile of the Pan-Canadian Trust Framework.

*Note: In relation to protecting privacy and identity of the user, the bidder is expected to demonstrate, in the proposal, knowledge and application of relevant controls as outlined in applicable guidance, including but not limited to CSE ITSP.30.31 published at https://www.cse-cst.gc.ca/en/system/files/pdf_documents/itsp.30.031v3-eng_0.pdf

It is also expected that the bidder demonstrate, in the proposal, sufficient knowledge to enumerate relevant threat agents and mitigation approaches

Additional Outcomes

Proposed solutions should:

1. Give issuers and recipients ownership of their official records that can be cryptographically signed and presented anywhere to verify credential provenance and ownership.
2. Give issuers and recipients autonomy over how they use their records and verify digital credentials. For example, if issuers decide to switch vendors later on, they retain full access and use of their digital certificates.
3. Give relying trusted third parties the ability to verify any record independently, in independent fashion, for free and independent of any software vendor or issuing institution. Relying parties can easily verify any digital credential through widely available technology such as a web browser or a mobile phone. Verification is based on open and interoperable approaches.
4. Provide leading-edge digital credential security to enable the global trust economy that are cryptographically signed thus enabling third parties to verify their provenance and ownership.
5. Demonstrate the components of self-sovereign identity:

• decentralized and portable;
• demonstrated control of attributes; and
• independence from a centralized registry, identity provider, or certificate authority.

6. Demonstrate multiple partnerships and interoperability with other companies within verifiable credential ecosystem.

*******************************************************

This Challenge Notice is issued under the Innovative Solutions Canada Program (ISC) Call for Proposals 002 (EN578-170003/C). For general ISC information, Bidders can visit the ISC website.

Please refer to the Solicitation Documents which contain the process for submitting a proposal.

Steps to apply:

Step 1: read this challenge

Step 2: read the Call for Proposals

Step 3: propose your solution here

CHALLENGE TITLE: User-Centric Verifiable Digital Credentials

CHALLENGE SPONSOR: Shared Services Canada (SSC) and Treasury Board Secretariat of Canada (TBS)

Funding Mechanism: Contract

MAXIMUM CONTRACT VALUE:

Multiple contracts could result from this Challenge.

The maximum funding available for any Phase 1 Contract resulting from this Challenge is $150,000.00 CAD (plus tax) including shipping, travel and living expenses, as applicable, for up to 6 months.

The maximum funding available for any Phase 2 Contract resulting from this Challenge is $1,000,000.00 CAD (plus tax) including shipping, travel and living expenses, as applicable, for up to 12 months. Only eligible businesses that have completed Phase 1 could be considered for Phase 2.

This disclosure is made in good faith and does not commit Canada to contract for the total approximate funding.

TRAVEL:  No travel is anticipated

Kick-off meeting

Teleconference/videoconference

Progress Review Meeting(s)

Teleconference/videoconference

Final Review Meeting

Teleconference/videoconference

Problem Summary Statement

The Treasury Board Secretariat of Canada (TBS) and Shared Services Canada (SSC) are seeking a standardized method to issue and rapidly verify portable digital credentials across many different contexts, thereby reducing human judgement error, increasing efficiency and ensuring digital credential veracity using cryptography.

Problem Statement

This challenge is seeking a portable secure digital credentials (self-sovereign identity) solution held by individuals that can be independently, cryptographically and rapidly verified using emerging distributed ledger standards and an approach that may give rise to a global digital verification platform. For many contexts, ranging from applying for a job to transiting checkpoints for aviation security, paper documents remain the predominant way to prove key attributes about an individual, such as their name, date of birth, academic/professional qualifications, or security clearance. While these attributes might be presented in digital form, there are no widely adopted or standardized methods to issue and rapidly verify digital credentials across many different contexts. There exists no current capability to digitally verify without dependencies on centralized or low-latency network platforms (or both).

Note: The operational solution will be required to store all personal information within Canada

Desired outcomes and Considerations

Essential (Mandatory) Outcomes

Proposed solutions must:

1. Create User-centric Verifiable Digital Credentials able to operate on a national or global interoperable verification platform;
2. Protect the privacy and identity of the user at all times* (see note);
3. Incorporate the following emerging and/or mature specifications for interoperability that have been funded, tested and/or championed by the United States of America Department of Homeland Security:

• Decentralized Identifiers (Standards Development Organizations: World Wide Web Consortium (W3C) or Decentralized Identity Foundation),
• Verifiable Credentials (Standards Development Organization - W3C); and
• JavaScript Object Notation for Linked Data / JSON-LD (Standards Development Organization - W3C);

4. Demonstrate the feasibility of the specifications described above in support of creating, transmitting and storing verifiable digital credentials using wallet or agent reference implementations. These reference implementations may include but not are limited to: Blockcerts, Hyperledger Indy Aries

5. Adhere to applicable policy instruments, guidelines and frameworks, including but not limited to:

• Requirements specified in the Treasury Board Directive on Identity Management; and
• Conformance Criteria specified in the Public Sector Profile of the Pan-Canadian Trust Framework.

*Note: In relation to protecting privacy and identity of the user, the bidder is expected to demonstrate, in the proposal, knowledge and application of relevant controls as outlined in applicable guidance, including but not limited to CSE ITSP.30.31 published at https://www.cse-cst.gc.ca/en/system/files/pdf_documents/itsp.30.031v3-eng_0.pdf

It is also expected that the bidder demonstrate, in the proposal, sufficient knowledge to enumerate relevant threat agents and mitigation approaches

Additional Outcomes

Proposed solutions should:

1. Give issuers and recipients ownership of their official records that can be cryptographically signed and presented anywhere to verify credential provenance and ownership.
2. Give issuers and recipients autonomy over how they use their records and verify digital credentials. For example, if issuers decide to switch vendors later on, they retain full access and use of their digital certificates.
3. Give relying trusted third parties the ability to verify any record independently, in independent fashion, for free and independent of any software vendor or issuing institution. Relying parties can easily verify any digital credential through widely available technology such as a web browser or a mobile phone. Verification is based on open and interoperable approaches.
4. Provide leading-edge digital credential security to enable the global trust economy that are cryptographically signed thus enabling third parties to verify their provenance and ownership.
5. Demonstrate the components of self-sovereign identity:

• decentralized and portable;
• demonstrated control of attributes; and
• independence from a centralized registry, identity provider, or certificate authority.

6. Demonstrate multiple partnerships and interoperability with other companies within verifiable credential ecosystem.

Background and Context

This challenge intends to determine the feasibility and characteristics of developing a national or global interoperable verification platform that can be used to independently verify digital credentials issued by a dynamic set of trusted issuers, and used by a broad and diverse population of users. This can be tested in a context, such as aviation security where there are many actors and authorities operating across many organizational and geographical boundaries. Building on these standards, the goal is to prove that a decentralized, interoperable digital verification ecosystem can be built that can be used by many independent issuers, operators, and most importantly users, by means of open-source libraries and standards-based capabilities. In order for a new technology to gain adoption, it must be made accessible through easy-to-use and widely available software and ubiquitous infrastructure such as Blockchain, Distributed Ledger Technology (DLTs) and Self-Sovereign Identity (SSI). A government could potentially leverage these and develop a ubiquitous infrastructure with enhanced transparency and auditing of public service operations, greater visibility into multi-party business operations, and automation of paper-based processes to improve delivery of services to organizations and citizens. There exists a common need to issue entitlements, attestations and certifications for a variety of purposes including travel, training, education, affiliation, organizational identity and delegated authority and more. Current issuance processes are often paper based, non-interoperable and are susceptible to loss, destruction, forgery, and counterfeiting. While there is a diversity of contexts, there are many common needs across different departmental and agency contexts with a potential use of interoperable implementations of Blockchain, DLTs and SSI that also support the growth and availability of a competitive marketplace of diverse technology implementations for government and industry to draw upon to deliver cost effective and innovative solutions. For many contexts, ranging from applying for a job to transiting checkpoints for aviation security, paper documents remain the predominant way to prove key attributes about an individual, such as their name, date of birth, academic/professional qualifications, or security clearance. While these attributes might be presented in digital form, there are no widely adopted or standardized methods to issue and rapidly verify digital credentials across many different contexts. There exists no current capability to digitally verify without dependencies on centralized or low-latency network platforms (or both). In addition, there is a potential need for self-sovereign identity, which is the concept that people and businesses can store their own identity data on their own devices, and provide it efficiently to those who need to validate it, without relying on a central repository of identity data.

ENQUIRIES

All enquiries must be submitted in writing to TPSGC.SIC-ISC.PWGSC@tpsgc-pwgsc.gc.ca no later than ten calendar days before the Challenge Notice closing date. Enquiries received after that time may not be answered.