tdif release 4: 02 - overview - amazon web services... · 2019-12-10 · tdif: 02 - overview 5 ....
TRANSCRIPT
OFFICIAL
OFFICIAL
02 - Overview
Trusted Digital Identity Framework (TDIF) Release 4 (R4) December 2019, version 0.3
CONSULTATION DRAFT
Digital Transformation Agency — TDIF Release 4 Consultation Draft iii
OFFICIAL
OFFICIAL
Digital Transformation Agency
This work is copyright. Apart from any use as permitted under the Copyright Act 1968
and the rights explicitly granted below, all rights are reserved.
Licence
With the exception of the Commonwealth Coat of Arms and where otherwise noted,
this product is provided under a Creative Commons Attribution 4.0 International
Licence. (http://creativecommons.org/licenses/by/4.0/legalcode)
This licence lets you distribute, remix, tweak and build upon this work, even
commercially, as long as they credit the DTA for the original creation. Except where
otherwise noted, any reference to, reuse or distribution of part or all of this work must
include the following attribution:
Trusted Digital Identity Framework (TDIF)™: 02 - Overview © Commonwealth of
Australia (Digital Transformation Agency) 2019
Use of the Coat of Arms
The terms under which the Coat of Arms can be used are detailed on the It’s an Honour website (http://www.itsanhonour.gov.au)
Conventions
TDIF documents refenced by this document are denoted in italics. For example,
TDIF: 03 - Accreditation Process is a reference to the TDIF document titled ‘03 –
Accreditation Process’.
The abbreviations and terms used in this document are to be interpreted as
described in the current published version of the TDIF: 01 – Glossary of
Abbreviations and Terms.
Contact us
The Digital Transformation Agency is committed to providing web accessible content
wherever possible. This document has undergone an accessibility check however, if
you are having difficulties with accessing the document, or have questions or
comments regarding the document please email the Director, Digital Identity Policy at
Digital Transformation Agency — TDIF Release 4 Consultation Draft iv
OFFICIAL
OFFICIAL
Digital Transformation Agency — TDIF Release 4 Consultation Draft v
OFFICIAL
OFFICIAL
Document management
The Trust Framework Accreditation Authority (TFAA) has reviewed and endorsed this
document for release.
Change log
Version Date Author Description of the changes
0.1 July 2019 SJP Initial version
0.2 Oct 2019 SJP Updated to incorporate feedback provided by stakeholders during the first round of collaboration on TDIF Release 4
0.3 Dec 2019 SJP Updated to incorporate feedback provided by stakeholders during the second round of collaboration on TDIF Release 4
Digital Transformation Agency — TDIF Release 4 Consultation Draft vi
OFFICIAL
OFFICIAL
Contents
1 Introduction ...................................................................................................................... 1
2 Characteristics of a trust framework .............................................................................. 3
3 Trusted Digital Identity Framework ................................................................................. 5
3.1 Meeting the Government’s Financial System Inquiry commitment ............................................... 5
3.2 Identity federation governance model ............................................................................................ 6
3.3 TDIF Accreditation Process ........................................................................................................... 8
3.4 Identity federation roles .................................................................................................................. 8
3.4.1 TDIF accredited roles .............................................................................................................. 8
3.4.2 Non-accredited roles ............................................................................................................... 9
3.5 TDIF document list ....................................................................................................................... 11
3.6 TDIF Guiding Principles ............................................................................................................... 12
3.7 TDIF Objectives ........................................................................................................................... 14
3.8 What TDIF success will look like ................................................................................................. 14
4 References .......................................................................................................................16
List of figures
Figure 1: System governance model .................................................................................... 7
Figure 2: Roles within the federated digital identity system ..................................................10
Digital Transformation Agency— TDIF: 02 - Overview 1
OFFICIAL
OFFICIAL
1 Introduction 1
The Digital Transformation Agency (DTA), in collaboration with other government 2
agencies, key private sector bodies and privacy and consumer advocates, is leading 3
the development of a national federated digital identity system (the ‘identity 4
federation’). Implementation and operation of the identity federation is underpinned by 5
the Trusted Digital Identity Framework (TDIF). This document provides a high-level 6
overview of the TDIF including its scope and objectives. 7
The intended audience for this document includes: 8
• Potential Applicants for TDIF accreditation. 9
• Potential Relying Parties. 10
• Participants. 11
• Vendors. 12
Digital Transformation Agency— TDIF: 02 - Overview 2
OFFICIAL
OFFICIAL
2 Context 13
2.1 What is digital identity? 14
Digital identity is an electronic representation of an entity (individuals or other entities 15
such as a business) and how they are recognised online. A digital identity is a set of 16
attributes or information about an individual that can be electronically linked to only 17
that individual with their consent. Digital identity provides a means for individuals to 18
undertake online what they have traditionally done offline. It is a critical enabler for 19
individuals and business participation in the digital economy and to improve access to 20
and accessibility of government services. 21
2.2 What is an identity system? 22
The United Nations Commission on International Trade Law (UNCITRAL1) has 23
defined an identity system as follows: 24
An identity system means an online environment for identity management 25
transactions governed by a set of system rules (also referred to as a trust 26
framework) where people, organizations, services, and devices can trust each 27
other because authoritative sources establish and authenticate their identities. 28
An identity system involves: 29
• A set of rules, methods, procedures and routines, technology, standards, policies 30
and processes. It is applicable to a group of participating entities for the purpose 31
of managing the identity management lifecycle. 32
• Governing the collection, verification, storage, exchange, authentication and 33
reliance on identity attribute information about an individual person, legal entity, 34
device or digital object. 35
1
United Nations Commission on International Trade Law (UNCITRAL), 2018, 'Legal issues related to
identity management and trust services - terms and concepts relevant to identity management and
trust services', United Nations. http://undocs.org/en/A/CN.9/WG.IV/WP.153
Digital Transformation Agency— TDIF: 02 - Overview 3
OFFICIAL
OFFICIAL
2.3 What is a trust framework? 36
The Open Identity Exchange (OIX)2
define an identity trust framework as: 37
A trust framework as a legally enforceable set of specifications, rules and 38
agreements that governs an identity system. 39
A trust framework typically defines the scope and purpose of the identity 40
system, determines what roles are to be included and what duties are assigned 41
to those roles, sets the eligibility requirements for entities seeking to fulfil those 42
roles, and establishes the rules and regulations for processing of identity 43
information within the context of the identity system. 44
A trust framework is not a new concept. They are commonly used to govern multi-45
party systems where participants want to engage in a common type of transaction 46
with any of the other participants in a consistent and predictable manner. Common 47
examples include credit card systems, electronic payment systems, and the internet 48
domain name registration system, which all rely on a set of interdependent 49
specifications, rules, and agreements. This set of specifications, rules and 50
agreements is referred to by various names, such as “operating regulations,” “scheme 51
rules,” or “operating policies.” In the world of identity systems, they are commonly 52
referred to as a “trust framework.” 53
The DTA has been developing the TDIF since 2015. The TDIF is an accreditation 54
regime which specifies the minimum obligations that Identity Service Providers, 55
Credential Service Providers, Attribute Service Providers and Identity Exchanges are 56
required to meet when operating in the Australian digital identity federation. 57
2.4 Characteristics of a trust framework 58
The Open Identity Exchange3
states a trust framework generally possesses the 59
following characteristics: 60
• Scope: a trust framework governs a specific federated identity system to 61
enable the digital verification of a person’s identity, creation of a person’s 62
2 Ester Makaay, Tom Smedinghoff, Don Thibeau, June 2017, Trust Frameworks for Identity Systems,
OIXnet, https://www.oixnet.org/news-whitepaper
3 See References for further information on the Open Identity Exchange
Digital Transformation Agency— TDIF: 02 - Overview 4
OFFICIAL
OFFICIAL
digital identity and credentials, the binding of a person to authentication 63
credentials and the reuse of those credentials to access relying party services. 64
• Purpose: to define and govern the operation of a federated identity system 65
and the obligations of its participants in order to ensure both the functionality 66
and trustworthiness of the system. 67
A trust framework addresses: 68
• Functionality: the trust framework details the functionality of the federated 69
identity system it governs and includes specifications, rules, and agreements to 70
ensure that it operates properly in two respects: 71
o Proper operation: the system functions properly for its intended purpose 72
(so that it works). 73
o Compliance: the system and its participants operate in accordance with 74
legislative and regulatory requirements. 75
• Trustworthiness: the trust framework is governed through the use of 76
specifications, rules, and agreements designed to ensure that it functions in a 77
way that is sufficiently trustworthy to meet the needs of the participants. To that 78
end: 79
o Risk and issue management: it addresses and manages the various 80
risks and issues inherent in participating in the identity federation, and 81
the requirements designed to address those risks. 82
o Legal Certainty and Predictability: the trust framework sets out the legal 83
rights, responsibilities, and liabilities of the participants, within broader 84
legislative and regulatory requirements. 85
o Binding: the trust framework legally binds participating entities in the 86
identity federation with role-specific sets of duties and liabilities. 87
o Transparency: the trust framework specifications, rules, and agreements 88
are accessible to and agreed by all participants. 89
• Content: The trust framework: 90
o Defines functions and operational roles: the functions and operational 91
roles needed to maintain the identity federation and engage in identity 92
transactions. 93
o Define data standards: the data standards which support the identity 94
federation and interoperability between functions and operational roles. 95
Digital Transformation Agency— TDIF: 02 - Overview 5
OFFICIAL
OFFICIAL
3 Trusted Digital Identity Framework 96
3.1 Early history 97
The Australian Government has been exploring the concept of online trust for several 98
years. 99
In 2010 the Department of the Prime Minister and Cabinet (PM&C) identified a need 100
to strengthen identity management in the digital economy and a voluntary trusted 101
identity model was seen as a possible way to achieve this. The possible model 102
involved the development of a market in identity authentication products which led to 103
the development of the National Trusted Identities Framework (NTIF) in 2011. The 104
aim of the framework was to make it simpler for government and business to 105
confirm the identity of individuals they do business with and allow individuals to 106
verify the credentials of the businesses they transact with online using the same 107
system. PM&C conducted two consultation sessions during 2011 and 2012 on the 108
NTIF. Although the sessions identified several issues and questions related to 109
online trust and what might be needed to address it, there was no clear consensus 110
on what next steps should be taken to progress the NTIF. 111
In 2011 the then Department of Broadband, Communications and the Digital 112
Economy published the National Digital Economy Strategy (NDES), which outlined 113
the government’s vision for Australia’s digital economy. The NDES aimed to 114
improve online government service delivery and engagement and built on the 115
concepts established in the NTIF around online trust. 116
In 2013 these concepts were explored further, when the Australian Government 117
Information Management Office (AGIMO) published the Third Party Identity Services 118
Assurance Framework (TPISAF). This framework set out the compliance criteria 119
and accreditation requirements for third party providers of identity services. The 120
underlying premise of the framework is that, based on an understanding of an 121
agency requirements, individuals will be able to choose to use the services of an 122
accredited service provider in order to access online government services. 123
124
Digital Transformation Agency— TDIF: 02 - Overview 6
OFFICIAL
OFFICIAL
3.2 Recent history 125
The Australian Government established the Financial System Inquiry4
(‘the Inquiry’) in 126
December 2013 to examine the positioning of the financial system to meet evolving 127
needs and support economic growth for Australia. In December 2014, the Inquiry 128
concluded that: 129
The innovative potential of Australia’s financial system and broader economy 130
can be supported by taking action to ensure policy settings facilitate future 131
innovation that benefits consumers, business and government. 132
To facilitate innovation, the Inquiry’s recommendations include the aim to: 133
Strengthen Australia’s digital identity framework through the development of a 134
national strategy for a federated-style model of trusted digital identities. 135
In accepting the recommendations of the Inquiry in October 2015, the Australian 136
Government agreed that a national digital identity strategy would streamline people’s 137
interactions with government and provide efficiency improvements. As per Inquiry 138
Recommendation 15 (digital identity), the Government also agreed to: 139
work across government and with the private sector to develop a Trusted 140
Digital Identity Framework to support the Government’s Digital Transformation 141
Agenda. 142
The TDIF builds on previous trust framework development efforts and responds 143
directly to the Inquiry and government commitment. The TDIF requires providers of 144
identity-related services to be accredited and establishes the rules for an identity 145
federation. 146
3.3 Identity federation governance model 147
Central to the successful implementation of the identity federation is an effective and 148
representative governance model. Figure 1 outlines the proposed governance model 149
for the identity federation. 150
4 See References for further information on the FSI
Digital Transformation Agency— TDIF: 02 - Overview 7
OFFICIAL
OFFICIAL
Currently, the DTA performs the role of the Trust Framework Accreditation Authority 151
(TFAA) and a series of Memorandums of Understanding (MOU) are in place between 152
the DTA and Participants. The TFAA will be replaced with an interim Oversight 153
Authority (OA) and the MOUs will be replaced with set of Operating Rules (ORs). In 154
time this will become a fully operational governance body. 155
Figure 1: Identity federation governance model. 156
Oversight
Authority
Trusted Digital Identity
Framework
Identity Service
Provider
Credential
Service Provider
Identity
Exchange
Attribute Service
Provider
Operating Rules
Users
Relying Party
Assessors
Key
Accredited Participant
Approved Participant (i.e. Relying Party)
Independent assessor commissioned by Accredited Participants to undertake assessments
Bound by ORs
Monitors and enforces ORs and TDIF
Provides opinions regarding TDIF conformance
157
The fully operational Oversight Authority will: 158
• Execute all its duties in a transparent and impartial manner. 159
• Accredit Identity Service Providers, Credential Service Providers, Attribute 160
Service Providers and Identity Exchanges (referred to as ‘accredited 161
Participants’), both within and external to the federation. 162
• Approve Relying Parties. 163
• Maintain an up to date register of the accredited Participants and Relying Parties 164
in the identity federation. 165
Digital Transformation Agency— TDIF: 02 - Overview 8
OFFICIAL
OFFICIAL
• Assess the performance of accredited Participants and Relying Parties, in 166
accordance with the requirements of the Operating Rules. 167
• Maintain and enforce the Operating Rules and the TDIF in order to ensure trust in 168
the identity federation. It is intended that it will have the power to facilitate the 169
transfer of information between accredited Participants and Relying Parties, to 170
investigate security, privacy or fraud incidents and if required to suspend or 171
terminate an accredited Participant or a Relying Party from the identity federation. 172
• Coordinate accredited Participant’s and Relying Party’s responses to security, 173
privacy, or fraud incidents, identity theft, disaster recovery and other issues that 174
impact accredited Participants or Relying Parties in the identity federation. 175
• Manage and resolve complaints from users, accredited Participants and Relying 176
Parties, in accordance with the Operating Rules. 177
3.4 TDIF Accreditation Process 178
TDIF accreditation is a formal process through which applicants demonstrate their 179
ability to meet specific requirements to the satisfaction of the TDIF Accreditation 180
Authority. TDIF accreditation covers the initial accreditation and ongoing accreditation 181
obligations. 182
Initial accreditation: accreditation of the Participants is fundamental to the 183
trustworthiness of the identity federation and its functional effectiveness. The TDIF 184
Accreditation Process involves a combination of documentation, third party 185
evaluations and operational testing. 186
Ongoing accreditation obligations: accredited Participants are required to complete 187
annual assessments against the TDIF and remediate any adverse findings in 188
timeframes agreed with the TFAA. These assessments ensure accredited 189
Participants continue to offer compliant identity services in a secure and privacy 190
preserving manner. 191
3.5 Participant roles 192
3.5.1 Accredited roles 193
The TDIF supports the accreditation of Identity Service Providers, Credential Service 194
Providers, Attribute Service Providers and Identity Exchanges that are either 195
Digital Transformation Agency— TDIF: 02 - Overview 9
OFFICIAL
OFFICIAL
joining the Government’s identity federation or are choosing to undergo 196
accreditation to increase the perceived assurance of their identity service. 197
• Identity Service Providers (IdP) are accredited to undertake the functions of 198
identity lifecycle management and records management. This includes 199
enrolling, verifying and revoking a digital identity record to standardised levels 200
of assurance. 201
• Credential Service Providers (CSP) are accredited to undertake the functions 202
of authentication credential management and records management. This 203
includes generating, binding and distributing authentication credentials to 204
people or can include the binding and management of authentication 205
credentials generated by people. This function may also be undertaken by an 206
IdP. 207
• Attribute Service Providers are accredited to undertake the functions of 208
attribute lifecycle management and records management. Attribute Service 209
Providers generate and manage attributes and claims that are provided to 210
Relying Parties (through Identity Exchanges) to support their decision-making 211
processes. 212
• Identity Exchanges are accredited to undertake the functions of 213
authentication management and records management. Identity Exchanges 214
convey, manage and coordinate the flow of attributes, claims and assertions 215
between members of the identity federation. Over time the identity federation 216
will likely support multiple Identity Exchanges. The Commonwealth government 217
Identity Exchange will function in double blind mode5. 218
3.5.2 Non-accredited roles 219
Other roles within the identity federation (which are not accredited) include Relying 220
Parties, Attribute Verification Services and the public. 221
• Relying Parties are the organisations and government agencies that rely on 222
verified identity information, attributes or assertions provided by Identity 223
Service Providers and Attribute Service Providers to enable the provision of a 224
5 The double-blind function enables users to participate in the identity federation without being tracked. In essence it means that
Identity Service Providers do not know what Relying Parties a user has accessed, and the Relying Party does not know which
Identity Service Provider was used to perform identity proofing.
Digital Transformation Agency— TDIF: 02 - Overview 10
OFFICIAL
OFFICIAL
225
• digital service. Relying Parties are not accredited but are required to meet a set 226
of obligations in order to join the identity federation. 227
• Attribute Verification Services (also known as Authoritative Sources) are 228
repositories recognised by the TFAA that confirm the veracity of identity 229
attributes and associated information. Attribute Verification Services can refer 230
to either the repositories themselves, or the methods used to access them (e.g. 231
Document Verification Service and the Face Verification Service). 232
• Users are people who establish a digital identity to obtain digital services from 233
Relying Parties. This includes people acting in their own capacity and people 234
who act on behalf of others. 235
Figure 2 outlines one instance of each role, the roles to which TDIF accreditation 236
applies and the scope of governance for the identity federation. 237
The figure is merely to show how the roles relate to each other and should not be 238
interpreted as a complete model of the identity federation. The DTA envisages over 239
time the identity federation will include several accredited Participants operating 240
across multiple tiers of government and the private sector. TDIF accreditation will 241
apply equally to these Participants, regardless of whether they are a government 242
agency, department or private sector entity. 243
Figure 2: Participant roles within the identity federation. 244
245
Digital Transformation Agency— TDIF: 02 - Overview 11
OFFICIAL
OFFICIAL
3.6 TDIF documents 246
The TDIF documents are grouped into three categories – governance, requirements 247
and guidance. 248
Governance documents 249
• TDIF: 01 - Glossary of Abbreviations and Terms, which includes a list of 250
acronyms and a definition of key terms used in the TDIF. 251
• TDIF: 03 - Accreditation Process, which defines the process the Applicant 252
and the TFAA must follow in order to achieve TDIF accreditation. 253
• TDIF: 07 - Annual Assessment, which includes the requirements the 254
accredited Participant must meet by the anniversary of their TDIF accreditation. 255
Requirements documents 256
TDIF: 04 - Functional Requirements, which includes requirements which are 257
applicable to all accredited roles, including fraud control, privacy, records 258
management, protective security and user experience. This document also 259
includes the requirements and types of functional assessments to be 260
undertaken by the Applicant, including a Privacy Impact Assessment (PIA), 261
Privacy Audit, Information Security Registered Assessors Program (IRAP) 262
assessment, penetration test and Web Content Accessibility Guidelines 263
(WCAG) assessment. 264
• TDIF: 05 - Role-specific Requirements, which includes applicable lifecycle 265
management requirements applicable to the specific role being accredited. For 266
example, the information collection and disclosure requirements to be met by 267
an Identity Service Provider. 268
• TDIF: 06: Federation onboarding Requirements, which includes the 269
requirements to be met when an Applicant is approved to onboard to the 270
Government’s identity federation. This document includes technical integration 271
testing, Service Level Agreements, user terms, operating obligations and the 272
accreditation requirements for an Identity Exchange6. 273
6 The Identity Exchange performs a unique role in the identity federation. Where other roles can be accredited as standalone
systems, the Identity Exchange needs to demonstrate how it coordinates the flow of data to other federation participants; it
cannot be accredited as a standalone system. For this reason, the Identity Exchange accreditation requirements are listed in
TDIF: 06 - Federation-onboarding Requirements and not the TDIF: 05 - Role-specific Requirements.
Digital Transformation Agency— TDIF: 02 - Overview 12
OFFICIAL
OFFICIAL
• TDIF: 06B - OpenID Connect 1.0 Profile, which describes how OpenID 274
Connect 1.0 is used within the identity federation. 275
Guidance documents 276
• TDIF: 02 - Overview, (this document) which provides a high-level overview of 277
the TDIF including its scope and objectives. 278
• TDIF: 04A – Functional Guidance, which provides guidance to Applicants on 279
meeting functional requirements. 280
• TDIF: 05A – Role-specific Guidance, which provides guidance to Applicants 281
on meeting role-specific accreditation requirements. 282
• TDIF: 06A –Federation-onboarding Guidance, which provides guidance to 283
Applicants on meeting federation-onboarding requirements. 284
• TDIF: 06C - SAML 2.0 Profile, which describes how SAML2.0 is used within 285
the identity federation. 286
3.7 TDIF guiding principles 287
The TDIF adheres to the following guiding principles: 288
User centric: 289
• Accessing digital services must be easy, convenient, simple, secure and trusted. 290
• Individuals can choose their digital identity and authentication credentials from a 291
range of accredited government and private sector providers. 292
• Individuals can choose to maintain one or several digital identities and 293
authentication credentials with one or more Identity Service Providers. 294
• Personal and business digital identities can be combined or kept separate. This 295
supports people choosing to either keep their personal and business identities 296
separate or merged. 297
Voluntary and transparent: 298
• Individuals choose to participate or not (i.e. opt-in). 299
• Individuals can control their digital identities in an easy and straightforward 300
manner. 301
• Records of authentication credential use are maintained securely and easily 302
accessible by those authorised to do so. 303
Digital Transformation Agency— TDIF: 02 - Overview 13
OFFICIAL
OFFICIAL
Service delivery focused: 304
• Accredited Identity Service Providers and Credential Service Providers offer 305
choice and convenience for users. 306
• Participation is cost neutral for users. 307
• The supporting business model encourages private sector participation. 308
Privacy enhancing: 309
• Personal information is only collected and disclosed with the consent of the 310
individual and in accordance with privacy laws and good privacy practices. 311
• Privacy enhancing technology, policy and processes are applied to all personal 312
information. 313
• Individuals have an informed understanding of how their personal information will 314
be used and protected. 315
• Individuals can view and manage their personal information, correct errors and 316
revoke their consent. 317
Collaborative: 318
• Active collaboration between the public and private sectors and the broader 319
community will draw on the respective strengths and expertise of government and 320
business and reflect the strengths and other characteristics of the identity 321
federation. 322
Interoperable: 323
• Facilitate interconnectedness with other Trust Frameworks and identity services 324
nationally and internationally. 325
• Scalable to grow and accommodate the needs of accredited Participants and 326
Relying Parties. 327
Adaptable: 328
• Promote flexibility and innovation in technology and business models. 329
• The TDIF is flexible to evolve in order to meet community expectations and 330
changing business, technology, legal and social needs. 331
• The identity federation is architected to support secure transactions ranging from 332
low to high value and from pseudonymous to fully verified. 333
Digital Transformation Agency— TDIF: 02 - Overview 14
OFFICIAL
OFFICIAL
Secure and resilient: 334
• Accredited Providers meet stringent Government security standards. 335
• The same accreditation requirements apply to government agencies and 336
organisations. 337
• Cyber security threats and risks are identified and actively managed by 338
accredited Participants and Relying Parties. 339
• Effective fraud management controls are implemented and maintained. 340
3.8 TDIF Objectives 341
Based on the above principles, the TDIF will facilitate the following outcomes: 342
• Simple, easy to use, secure and trusted: a digital end-to-end identity service 343
that people want to use. 344
• Accessible: digital identity services that are accessible to all people regardless of 345
their location, circumstances, abilities or the computing devices they use. 346
• Security and privacy-preserving: digital identity services are security and 347
privacy preserving. No single identifier is issued by the Identity Exchange to 348
Identity Service Providers, Attribute Service Providers or Relying Parties. There is 349
no single digital authentication credential or centralised database of personal 350
information. People are given greater control over their personal information and 351
who their personal information is shared with. The identity federation implements 352
safeguards and recovery mechanisms in the event an individual’s digital identity is 353
compromised. 354
• Standards based: digital identity services support open standards to facilitate 355
interoperability including with other jurisdictions. 356
3.9 What success looks like 357
Success is not a static concept. It is constantly evolving and includes many 358
characteristics. The TDIF has achieved a level of success. 359
Digital Transformation Agency— TDIF: 02 - Overview 15
OFFICIAL
OFFICIAL
• The DTA has released four components to the TDIF, each being developed 360
with input from across government and with the private sector (addressing one 361
of the aims of the Inquiry). 362
• The TDIF Accreditation Process has successfully been applied to each of the 363
four accreditation roles. 364
• The DTA has demonstrated the extensive and Australia-wide use of the TDIF 365
name which resulted in it being trademarked in 2019. 366
Further success for the TDIF will be demonstrated when: 367
• It is used to accredit a commercial sector or an Australian State or Territory 368
government identity service. 369
• It is used as the basis of mutual recognition of digital identity with another Trust 370
Framework authority. 371
Initial success for the identity federation will be measured by: 372
• The number of individuals who establish a digital identity through an Identity 373
Service Provider of their choice. 374
• The range of Relying Parties available for an individual to transact with. 375
• Its development and operational costs. 376
• The effort and resources required to onboard accredited Participants and 377
Relying Parties. 378
Further success for the identity federation will be demonstrated when: 379
• The accuracy of verifying identity documents used by individuals to create a 380
digital identity is improved. 381
• A commercial or an Australian State or Territory government Identity Service 382
Provider, Identity Exchange or Relying Party is connected. 383
• A digital identity created at the Commonwealth Identity Service Provider is 384
used to transact with a commercial or an Australian State or Territory 385
government Relying Party. 386
• A digital identity created with a commercial or an Australian State or Territory 387
government Identity Service Provider is used to transact with a 388
Commonwealth Relying Party. 389
• The Oversight Authority executes its roles and responsibilities in an effective 390
and transparent manner. 391
• The Commonwealth Government enacts a digital identity law. 392
Digital Transformation Agency— TDIF: 02 - Overview 16
OFFICIAL
OFFICIAL
4 References 393
In developing the TDIF the following sources have been considered. 394
1. Anderson, M. Fergus, N. Gibson, C. Kilgour, G. Love, D. Parsons, & Tarrant, M,2006,’Security 395 risk management handbook, (HB 167:2006)’, Standards Australia & New Zealand, Sydney & 396 Wellington 397
2. Archives Act 1983 (Cwth) 398
3. Attorney-General’s Department, 2011, ‘Australian Government Investigation Standard’, 399 Australian Government. https://www.ag.gov.au/RightsAndProtections/FOI/Documents/AGIS 400 2011.pdf 401
4. Attorney-General’s Department, 2017, ‘Commonwealth Fraud Control Framework’, Australian 402 Government. 403 https://www.ag.gov.au/Integrity/FraudControl/Documents/CommonwealthFraudControlFramewor404 k2017.PDF 405
5. Attorney-General’s Department, 2011, ‘Improving the integrity of identity data: recording of a 406 name to establish identity – better practice guidelines for Commonwealth Agencies’, Australian 407 Government. https://www.homeaffairs.gov.au/crime/Documents/recording-name-establish-408 identity.pdf 409
6. Attorney-General’s Department, 2016, ‘National Identity Proofing Guidelines (NIPGs), Australian 410 Government. https://www.homeaffairs.gov.au/about/crime/identity-security/guidelines-and-411 standards 412
7. Attorney-General's Department, 2018, 'Protective Security Policy Framework', Australian 413 Government. https://www.protectivesecurity.gov.au/Pages/default.aspx 414
8. Auditing and Assurance Standards Board, 2015, ‘Auditing Standard ASA 700 – Forming an 415 Opinion and Reporting on a Financial Matter’, Australian Government. 416 https://www.auasb.gov.au/admin/file/content102/c3/ASA_700_2015.pdf 417
9. Australian Signals Directorate, 2018, ‘2018 Australian Government Information Security Manual: 418 Controls (ISM)’, Australian Government, Canberra. https://acsc.gov.au/infosec/ism/index.htm 419
10. Australian Signals Directorate, 2019, ‘Essential Eight Explained’, Australian Government, 420 Canberra. https://acsc.gov.au/publications/protect/Essential_Eight_Explained.pdf 421
11. Bradner, S. 1997, ‘Key words for use in RFCs to Indicate Requirements Level’ (Requests for 422 Comment 2119), Internet Engineering Task Force, Switzerland. https://tools.ietf.org/html/rfc2119 423
12. Caldwell, B. Cooper, M. Reid L, G. and Vanderheiden, G, 2008, ‘Web Content Accessibility 424 Guidelines’ (WCAG) 2.0’, World Wide Web Consortium (W3C). 425 https://www.w3.org/TR/WCAG20/ 426
13. Canadian Government Digital Id And Authentication Council Of Canada, August 2016, ‘Pan-427 Canadian Trust Framework – Identity Establishment Conformance Criteria’, Canadian 428 Government Digital Id And Authentication Council Of Canada 429
14. Committee IT-012 Information Technology Security Techniques, 2012, ‘information technology - 430 security techniques - information security risk management (AS/NZS ISO/IEC 27005:2012)’, 431 Standards Australia & New Zealand, Sydney & Wellington 432
15. Commonwealth Ombudsman, 2017, ‘better practice guides’, Australian Government, Canberra. 433 http://www.ombudsman.gov.au/publications/better-practice-guides 434
16. Crimes Act 1914 (Cwth) 435
Digital Transformation Agency— TDIF: 02 - Overview 17
OFFICIAL
OFFICIAL
17. Criminal Code 1995 (Cwth) 436
18. Department of Finance, 2016, ‘Implementing the Commonwealth Risk Management Policy - 437 Guidance. Resource Management Guide 211’, Australian Government, Canberra. 438 https://www.finance.gov.au/comcover/risk-management/the-commonwealth-risk-management-439 policy/ 440
19. Department of Finance, 2009, ‘National e-Authentication Framework (NeAF)’, Australian 441 Government, Canberra. https://www.finance.gov.au/archive/policy-guides-442 procurement/authentication-and-identity-management/national-e-authentication-framework/ 443
20. Department of Internal Affairs, 2009, ‘Evidence of Identity Standard’, New Zealand Government. 444 https://www.dia.govt.nz/Resource-material-Evidence-of-Identity-Standard-Index 445
21. Digital Transformation Agency, 2015, ‘Gatekeeper Public Key Infrastructure (PKI) Framework’, 446 Australian Government, https://www.dta.gov.au/our-projects/digital-identity/join-identity-447 federation/accreditation-and-onboarding/gatekeeper-public-key-infrastructure-framework 448
22. Digital Transformation Agency, 2017, ‘Digital Service Standard’, Australian Government, 449 Canberra. https://www.dta.gov.au/standard/ 450
23. Digital Transformation Agency, 2017, ‘GOV.AU content guide’, Australian Government, 451 Canberra. http://guides.service.gov.au/content-guide/ 452
24. Digital Transformation Agency, 2017, ‘GOV.AU design guide’, Australian Government, Canberra. 453 http://guides.service.gov.au/design-guide/ 454
25. Digital Transformation Agency, 2017, ‘GOV.AU design principles’, Australian Government, 455 Canberra. https://www.dta.gov.au/standard/design-principles/ 456
26. Disability Discrimination Act 1992 (Cth) 457 27. Eastlake (3rd), D., 2005, Additional XML Security Uniform Resource Identifiers (URIs) [RFC 458
4051] DOI 10.17487/RFC4051.https://www.ietf.org/rfc/rfc4051.txt 459 28. Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Mastiner, L. Leach, P., and T. Berners-Lee, 1999, 460
Hypertext Transfer Protocol – HTTP/1.1 [RFC 2616]. https://www.ietf.org/rfc/rfc2616.txt 461 29. Government Digital Service, 2016, ‘Measuring user satisfaction’, United Kingdom Cabinet Office. 462
https://www.gov.uk/service-manual/measuring-success/measuring-user-satisfaction 463 30. Government Digital Service, 2016, ‘Measuring digital take-up’, United Kingdom Cabinet Office. 464
https://www.gov.uk/service-manual/measuring-success/measuring-digital-take-up 465 31. Government Digital Service, 2016, ‘Measuring completion rate’, United Kingdom Cabinet Office. 466
https://www.gov.uk/service-manual/measuring-success/measuring-completion-rate 467 32. Government Digital Service, 2016, ‘Measuring const per transaction’, United Kingdom Cabinet 468
Office. https://www.gov.uk/service-manual/measuring-success/measuring-cost-per-transaction 469 33. Grassi, P, M. Varley, 2017, International Government Assurance Profile (iGov.OIDC-1.0) for 470
OpenID Connect 1.0 – Draft 02, http://openid.net/specs/openid-igov-openid-connect-1_0-02.html 471 34. Hardt, D., 2012, The Oauth 2.0 Authorization Framework [RFC 6749]. 472
https://tools.ietf.org/html/rfc6749 473 35. International Organization for Standardization, 2004, Data elements and interchange formats – 474
Information interchange – Representation of dates and times (ISO 8601:2004), ISO/TC 154 475 Processes, data elements and documents in commerce, industry and administration. 476
36. International Organization for Standardization, 2019, ‘Date and time – representations for 477 information interchange – Part 1: Basic rules (ISO 8601-1:2019)’, ISO/TC 154 Processes, data 478 elements and documents in commerce, industry and administration. 479
37. International Organization for Standardization, 2010, ‘Ergonomics of human-system interaction – 480 Part 210: Human-centred design for interactive systems (ISO 9241-210:2010)’, ISO/TC 159/SC 481 4 Ergonomics of human-system interaction 482
Digital Transformation Agency— TDIF: 02 - Overview 18
OFFICIAL
OFFICIAL
38. International Organization for Standardization, 2011, ‘Information technology – Security 483 techniques – information security risk management (ISO/IEC 27005:2011)’, ISO/IEC JTC1/SC 484 27 IT Security techniques 485
39. International Organization for Standardization, 2012, ‘Information technology – Security 486 techniques – security requirements for cryptographic modules (ISO/IEC 19790:2012)’, ISO/IEC 487 JTC 1/SC 27 IT Security techniques 488
40. International Organization for Standardization, 2015, ‘Software and systems engineering – 489 software testing – test processes (ISO/IEC/IEEE 29119.4:2015)’, ISO/IEC JTC1/SC7 software 490 and systems engineering. 491
41. International Organization for Standardization, 2016, ‘Information technology – Biometric 492 presentation attack detection – Part 1: Framework (ISO/IEC 30107-1:2016) ’, ISO/IEC JTC 1/SC 493 37 Biometrics 494
42. International Organization for Standardization, 2017, ‘Information technology – Vocabulary- part 495 37: Biometrics (ISO/IEC 2382-37:2017)’, ISO/IEC JTC 1/SC 37 Biometrics 496
43. International Organization for Standardization, 2018, ‘Information technology - Security 497 techniques – Identity proofing (ISO/IEC TS 29003:2018)’, ISO/IEC JTC 1/SC 27 IT Security 498 techniques 499
44. International Organization for Standardization, 2018, ‘Information technology – Service 500 management – Part 1: Service management system requirements (ISO/IEC 20000-1:2018)’, 501 ISO/IEC JTC 1/SC 40 IT Service Management and IT Governance 502
45. International Telecommunication Union, 2010, E.164: The international public telecommunication 503 numbering plan, https://www.itu.int/rec/T-REC-E.164-201011-I/en 504
46. Joint Technical Committee, 2009, ‘Risk management - principles and guidelines (AS/NZS 505 ISO/IEC 31000:2009)’, Standards Australia & New Zealand, Sydney & Wellington 506
47. Joint Technical Committee, 2015, ‘Software and systems engineering – software testing – 507 concepts and definitions (AS/NZS ISO/IEC/IEEE 29119.1:2015)’, Standards Australia & New 508 Zealand, Sydney & Wellington 509
48. Joint Technical Committee, 2015, ‘Software and systems engineering – software testing – 510 concepts and definitions (AS/NZS ISO/IEC/IEEE 29119.1:2015)’, Standards Australia & New 511 Zealand, Sydney & Wellington 512
49. Joint Technical Committee, 2015, ‘Software and systems engineering – software testing – test 513 processes (AS/NZS ISO/IEC/IEEE 29119.2:2015)’, Standards Australia & New Zealand, Sydney 514 & Wellington 515
50. Joint Technical Committee, 2015, ‘Software and systems engineering – software testing – test 516 documentation (AS/NZS ISO/IEC/IEEE 29119.2:2015)’, Standards Australia & New Zealand, 517 Sydney & Wellington 518
51. Jones, M., 2015, JSON Web Key (JWK) [RFC 7517]. https://tools.ietf.org/html/rfc7517 519
52. Jones, M, 2015, ‘JSON Web Algorithms [RFC 7518]’. https://tools.ietf.org/html/rfc7518 520 53. Jones, M., Campbell, B., Mortimore, C., and Y. Goland, 2015, Assertion Framework for OAuth 521
2.0 Client Authentication and Authorization Grants [RFC 7521]. https://tools.ietf.org/html/rfc7521 522 54. Jones, M., Campbell, B., Mortimore, C., 2015, JSON Web Token (JWT) Profile for OAuth 2.0 523
Client Authentication and Authorization Grants [RFC 7523], https://tools.ietf.org/html/rfc7523 524 55. Jones, M. and D. Hardt, 2012, The OAuth 2.0 Authorization Framework: Bearer Token Usage 525
[RFC 6750]. https://tools.ietf.org/html/rfc6750 526 56. Kantara Initiative, 2017, SAML V2.0 Implementation Profile for Federation Interoperability V1.0. 527
https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html 528
57. Klensin, J., 2001, Simple Mail Transport Protocol [RFC 2821], Internet Engineering Task Force. 529
https://tools.ietf.org/html/rfc2821 530
Digital Transformation Agency— TDIF: 02 - Overview 19
OFFICIAL
OFFICIAL
58. Leach, P., Mealling, M., Salz, R., A, 2005, Universally Unique IDentifier (UUID) URN 531 Namespace (RFC 4122), Internet Engineering Task Force. https://tools.ietf.org/html/rfc4122 532
59. Lodderstedt, T., Dronia, S. and M. Scurtescu, 2013, OAuth 2.0 Token Revocation [RFC 7009]. 533 https://tools.ietf.org/html/rfc7009 534
60. Lodderstedt, T., McGloin, M. and P. Hunt, 2013, OAuth 2.0 Threat Model and Security 535 Considerations (RFC 6819). https://tools.ietf.org/html/rfc6819 536
61. Makaay, E. Smedinghoff, T. & Thibeau, D, 2017, 'Trust Frameworks for Identity Systems', Open 537 Identity Exchange (OIX). https://openidentityexchange.org/wp-content/uploads/2017/06/OIX-538 White-Paper_Trust-Frameworks-for-Identity-Systems_Final.pdf 539
62. National Institute of Standards and Technology, 2017, ‘Digital Identity Guidelines [NIST SP 800-540 63-3]’, Government of the United States. 541 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf 542
63. National Institute of Standards and Technology, 2017, ‘Digital Identity Guidelines – Enrollment 543 and Identity Proofing [NIST SP 800-63-3a]’, Government of the United States. 544 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63a.pdf 545
64. National Institute of Standards and Technology, 2017, ‘Digital Identity Guidelines – 546 Authentication and Lifecycle Management [NIST SP 800-63-3b]’, Government of the United 547 States. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf 548
65. National Institute of Standards and Technology, 2017, ‘Digital Identity Guidelines – Federation 549 and Assertions [NIST SP 800-63-3c]’, Government of the United States. 550 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63c.pdf 551
66. National Institute of Standards and Technology, 2008, ‘Technical Guide to Information Security 552 Testing and Assessment [NIST SP 800-115]’, Government of the United States. 553 https://csrc.nist.gov/publications/detail/sp/800-115/final 554
67. Nielsen, J. 1995 ‘How to Conduct a Heuristic Evaluation’,https://www.nngroup.com/articles/how-555 to-conduct-a-heuristic-evaluation/ 556
68. Nielsen, J. 2012, ‘Usability 101: Introduction to Usability’ 557 https://www.nngroup.com/articles/usability-101-introduction-to-usability/ 558
69. Lebson, C. 2014, ‘Usability: What a Project Manager Needs to Know – Part 2’. 559 https://www.usability.gov/get-involved/blog/2014/06/part-2-what-a-pm-needs-to-know-about-560 usability.html 561
70. OASIS Security Services Technical Committee, 2005, Assertions and Protocols for the OASIS 562 Security Assertion Markup Language (SAML) V2.0, OASIS. https://docs.oasis-563 open.org/security/saml/v2.0/saml-core-2.0-os.pdf 564
71. OASIS Security Services Technical Committee, 2005, Metadata for the OASIS Security 565 Assertion Markup Language (SAML) V2.0 [SAML2Meta], OASIS. http://docs.oasis-566 open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf 567
72. OASIS Security Services Technical Committee, 2005, Profiles for the OASIS Security Assertion 568 Markup Language (SAML) V2.0 [SAML2Prof], OASIS. http://docs.oasis-569 open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf 570
73. [SAML2MD-xls] https://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd 571
74. OASIS Security Services Technical Committee, 2008, Identity Provider Discovery Service 572
Protocol and Profile [IdPDisco], OASIS. http://docs.oasis-open.org/security/saml/Post2.0/sstc-573
saml-idp-discovery.pdf 574
Digital Transformation Agency— TDIF: 02 - Overview 20
OFFICIAL
OFFICIAL
75. OASIS Security Services Technical Committee, 2009, SAML V2.0 Metadata Extension for Entity 575
Attributes Version 1.0 [MetaAttr], OASIS.http://docs.oasis-open.org/security/saml/Post2.0/sstc-576
metadata-attr-cs-01.pdf 577
76. OASIS Security Services Technical Committee, 2009, SAML V2.0 Metadata Interoperability 578 Profile Version 1.0 [SAML2MDIOP], OASIS. http://docs.oasis-579 open.org/security/saml/Post2.0/sstc-metadata-iop.pdf 580
77. OASIS Security Services Technical Committee, 2011, Metadata Profile for Algorithm Support 581 Version 1.0 [SAML2MetaAlgSup], OASIS. http://docs.oasis-open.org/security/saml/Post2.0/sstc-582 saml-metadata-algsupport-v1.0-cs01.pdf 583
78. https://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd 584
79. OASIS Security Services Technical Committee, 2012, SAML Version 2.0 Errata 05 585
[SAML2Errata], OASIS. http://docs.oasis-open.org/security/saml/v2.0/sstc-saml-approved-errata-586
2.0.pdf 587
80. OASIS Security Services Technical Committee, 2012, SAML V2.0 Metadata Extensions for 588
Login and Discovery User Interface Version 1.0 [MetaUI], OASIS. http://docs.oasis-589
open.org/security/saml/Post2.0/sstc-saml-metadata-ui/v1.0/sstc-saml-metadata-ui-v1.0.pdf 590
81. Office of the Australian Information Commissioner, ‘Guide to undertaking privacy impacts 591 assessments’, Australian Government, Canberra. 592
82. Office of the Australian Information Commissioner, 2014, ‘Guide to developing an APP privacy 593 policy’, Australian Government, Canberra. 594
83. Office of the Australian Information Commissioner, 2016, ‘Guide to developing a data breach 595 response plan’, Australian Government, Canberra. 596
84. Office of the Chief Information Officer, 2010, ‘Electronic Credential and Authentication Standard’, 597 Ministry of Citizens’ Services, Province of British Columbia, Canada. 598
85. http://www2.gov.bc.ca/assets/gov/government/services-for-government-and-broader-public-599 sector/information-technology-services/standards-600 files/electronic_credential_and_authentication_standard.pdf 601
86. Open Banking Standards v3, 2018, ‘Open Banking Customer Experience Guidelines’, 602 https://www.openbanking.org.uk/wp-content/uploads/Customer-Experience-Guidelines.pdf 603
87. Phillips, A. and M. Davis, 2009, Tags for Identifying Languages [RFC 5646]. 604 https://tools.ietf.org/html/rfc5646 605
88. Privacy Act 1988 (Cwth) 606 89. Proceeds of Crime Act 2002 and the Proceeds of Crime Regulations 2002 (Cwth) 607 90. Public Governance, Performance and Accountability Act 2013 (Cwth) 608 91. Public Governance, Performance and Accountability Rule 2014 (Cwth) 609 92. Public Service Act 1999 (Cwth) 610 93. Resnick, P., Ed, 2008, Internet Message Format (RFC 5322). https://tools.ietf.org/html/rfc5322 611 94. Richer, J., 2015, OAuth 2.0 Token Introspection (RFC 7662). https://tools.ietf.org/html/rfc7662 612 95. Richer, J., Grassi, P. and M. Varley, 2017, iGov Profile for OAuth 2.0, 613
http://openid.net/specs/openid-igov-oauth2-1_0.html 614 96. Sakimura, N., Bradley, J., Jones, M., de Medeiros, B. and C. Mortimore, 2015, OpenID Connect 615
Core 1.0, http://openid.net/specs/openid-connect-core-1_0.html 616 97. Sakimura, N., Bradley, J., Jones, M. and E. Jay, 2015, OpenID Connect Discovery 1.0. 617
http://openid.net/specs/openid-connect-discovery-1_0.html 618 98. Sakimura, N., Bradley, J., and M. Jones, 2014, OpenID Connect Client Registration 1.0, 619
https://openid.net/specs/openid-connect-registration-1_0.html 620 99. Sakimura, N., Bradley, J. and N. Agarwal, 2015, Proof Key for Code Exchange by OAuth Public 621
Clients (RFC 7636). https://tools.ietf.org/html/rfc7636 622
Digital Transformation Agency— TDIF: 02 - Overview 21
OFFICIAL
OFFICIAL
100. Scott Cantor (edited by), 2017, SAML V2.0 Subject Identifier Attributes Profile Version 1.0. 623 OASIS Committee Specification Draft 01 / Public Review Draft 01, http://docs.oasis-624 open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html 625
101. Sheffer, Y, Holz, R, and P. Saint-Andre, 2015, Summarizing Known Attacks on Transport Layer 626 Security (TLS) and Datagram TLS (DTLS) [RFC 7457]. https://www.ietf.org/rfc/rfc7457.txt 627
102. Standards Australia, 2014, ‘Guidelines for complaint management in organisations (AS/NZS 628 10002:2014)’, Standards Australia & New Zealand, Sydney & Wellington 629
103. Telecommunication Standardisation Sector of ITU (ITU-T), 2010, ‘Recommendation X.1252: 630 Baseline identity management terms and definitions’, International Telecommunications Union. 631 https://www.itu.int/rec/T-REC-X.1252-201004-I 632
104. Telecommunication Standardisation Sector of ITU (ITU-T), 2012, ‘Entity authentication 633 assurance framework’, International Telecommunications Union. https://www.itu.int/rec/T-REC-634 X.1254-201209-I/en 635
105. United Kingdom Cabinet Office, 2012, ‘Good Practice Guide - Requirements for secure delivery 636 of online public services (GPG 43)’, United Kingdom Cabinet Office. 637 https://www.gov.uk/government/publications/requirements-for-secure-delivery-of-online-public-638 services 639
106. United Kingdom Cabinet Office, 2014, ‘Good Practice Guide – Identity proofing and verification 640 of an individual (GPG 45)’, United Kingdom Cabinet Office. 641 https://www.gov.uk/government/publications/identity-proofing-and-verification-of-an-individual 642
107. United Nations Commission on International Trade Law (UNCITRAL), 2018, 'Legal issues 643 related to identity management and trust services - terms and concepts relevant to identity 644 management and trust services', United Nations. http://undocs.org/en/A/CN.9/WG.IV/WP.153 645
108. WCAG World Wide Web Consortium, 2004, XML Schema Part 1: Structures. W3C. 646 http://www.w3.org/TR/xmlschema-1/. 647
109. WCAG World Wide Web Consortium, 2004, XML Schema Part 2: Datatypes. W3C. 648 http://www.w3.org/TR/xmlschema-2/. 649
110. WCAG World Wide Web Consortium,, 2013, XML Signature Syntax and Processing Version 1.1 650
[XMLSig]. https://www.w3.org/TR/xmldsig-core1/ 651
111. WCAG World Wide Web Consortium, 2013, XML Syntax and Processing Version 1.1 [XMLEnc]. 652 W3C. https://www.w3.org/TR/xmlenc-core1/ 653
112. WCAG World Wide Web Consortium, 2018, ‘Web Content Accessibility Guidelines (WCAG 2.1)’, 654 W3C. https://www.w3.org/TR/WCAG21/ 655
113. Young., I, 2018, Metadata Query Protocol draft-young-d-query-08 [SAML-MDQ]. 656
https://tools.ietf.org/html/draft-young-md-query-08 657