Supported

Pan-Canadian Trust Framework (PCTF)

Canada's national framework for trusted digital identity, establishing requirements for identity assurance, credential management, and privacy protection across federal, provincial, and territorial jurisdictions.

What is it?

The PCTF, developed by the Digital ID & Authentication Council of Canada (DIACC), defines how digital identity ecosystems should operate to be trusted, interoperable, and privacy-preserving. It provides a set of conformance criteria organized into components that technology providers must meet.

Assurance Levels

• Level 1 (Low) — Self-asserted identity with minimal verification
• Level 2 (Substantial) — Remote identity proofing with verified government document + additional factor
• Level 3 (High) — In-person or supervised remote proofing with biometric capture + government photo ID

Components

How BaseID Implements PCTF

• baseid-pctf crate with full IAL evaluation — 11 evidence types, Level 1-3 scoring, upgrade guidance, and cross-framework mapping (PCTF ↔ eIDAS ↔ NIST 800-63 ↔ TDIF).
• Consent lifecycle management: creation, purpose limitation, expiry, revocation, and validity checking per the Notice & Consent component.
• Hash-chained append-only audit log with 8 action types covering the full credential lifecycle, tamper detection via verify_chain(), and privacy-redacted JSON Lines export.
• PCTF policy engine combining assurance level, credential type, trusted issuer, and consent checks with bilingual (EN/FR) error messages.
• Bilingual compliance self-assessment reporting covering all 5 PCTF components with Conformant/PartiallyConformant/NonConformant status.
• 50 automated tests validating all PCTF compliance requirements.

Evidence Taxonomy

• GovernmentPhotoId — passport, driver's licence, PR card
• GovernmentDocument — SIN letter, birth certificate
• Biometric — facial recognition, fingerprint with match verification
• InPerson — in-person identity proofing at a trusted location
• SupervisedRemote — video call with a human agent
• DocumentVerification — OCR + liveness + database check
• ChannelBinding — email/phone OTP verification
• KnowledgeBased — security questions, shared secrets
• TrustedCredential — credential from a trusted issuer (bank KYC)
• AddressDocument — utility bill, bank statement
• SelfAsserted — self-declared information

Consent Lifecycle

• Purpose limitation — consent is valid only for the stated purpose
• Data element tracking — records exactly which claims are shared
• Expiry — automatic transition to Expired status after timestamp
• Revocation — subjects can revoke consent at any time
• Validity checking — verifies Active status + not expired + covers request

Audit Trail

• Hash chaining — SHA-256 hash of previous entry for tamper detection
• 8 action types — CredentialIssued/Presented/Verified/Revoked, ConsentGiven/Revoked, DidCreated/Resolved
• Privacy redaction — configurable policy removes actor DIDs and details from exports
• JSON Lines export — one JSON object per line for log aggregation
• Query — filter by actor, action type, or time range

Policy Engine

• Assurance level gate — credential IAL must meet verifier's minimum
• Credential type whitelist — optional accepted types filter
• Trusted issuer whitelist — optional trusted DIDs filter
• Consent validation — checks for matching valid consent record
• Bilingual errors — violation messages in both English and French

Compliance Reporting

Generate bilingual (EN/FR) self-assessment reports covering all 5 PCTF components. Each component receives a status (Conformant, Partially Conformant, Non-Conformant, Not Applicable) with evidence and improvement recommendations. Reports are serializable to JSON for audit submission.

Conformance Testing

BaseID validates protocol compliance via the OpenID Foundation Conformance Suite, which tests OID4VCI 1.0 (credential issuance), OID4VP 1.0 (credential presentation), and HAIP 1.0 (high assurance profile). The suite runs locally via Podman and can be integrated into CI pipelines. Combined with 887 automated unit tests across 35 Rust crates and 50 PCTF-specific tests, this provides comprehensive conformance evidence.

• OpenID Conformance Suite — OID4VCI, OID4VP, HAIP test plans via Podman
• 887 automated tests across 35 Rust crates
• 50 PCTF-specific tests (assurance, consent, audit, policy, reporting)
• Cross-framework mapping validated (PCTF ↔ eIDAS ↔ NIST ↔ TDIF)
• Full conformance criteria matrix available in PCTF.md

Certification Pathway

PCTF certification is achieved through the DIACC Voila Verified Trustmark Program, the only official PCTF certification. DTLab provides Level 1 (documentation review) and Level 2 (technical examination) assessments. BaseID includes a built-in ReportBuilder that generates bilingual self-assessment reports for audit submission.

Adoption

PCTF is the foundation for digital identity programs across Canadian provinces including British Columbia (BC Wallet), Alberta, and Quebec (Bill 82). Federal programs like GC Issue and Verify align with PCTF. DIACC membership includes 100+ organizations across government, financial services, healthcare, and technology sectors.