CANdy Network Governance Framework
Intergovernmental Collaboration on Digital Trust and Credentials (ICDTC)
Introduction
The CANdy Network Governance Framework document was created in accordance with the Trust Over IP's Governance Metamodel Specification. The Framework has been developed by select representatives from the provinces of British Columbia, Quebec and Ontario in collaboration with IBM Consulting and others. CANdy is the Canadian instance of a Hyperledger Indy implementation.
Purpose
The purpose of the CANdy Network Governance Framework is to set in place the principles, scope, roles, and policies that enable the governance, operation, and use of a common Verifiable Data Registry (VDR), called the CANdy Network. The CANdy Network will support verifiable credentials that build trust in online digital interactions and the digital economy in Canada.
Objectives
The objectives of the CANdy Network Governance Framework are as follows:
- Define a governance model that supports the initialization of the CANdy Network and subsequent onboarding of Members and the deployment of CANdy nodes.
- Provide a CANdy Network governance model that enables CANdy to reliably provide trusted, identifying information about Canadian credential issuers and the credentials they issue.
- Elevate trust in the CANdy Network by publicly exposing which actors endorsed specific transactions and what those transactions contained without sharing sensitive data.
- Define a model that maintains each Member’s sovereignty, within their existing authorities, and coordinates the operation and shared governance of the CANdy Network.
- Define the foundational rules and policies for the operation of the CANdy Network and its nodes.
- Identify unique governed roles which operate or use the CANdy Network and define governing policies tailored to each role. These policies are designed to foster trust and ensure security in the Network's utilization and operation.
- Encourage an increase in the number of participating Members and Non-Members in the governance, operation, and use of the CANdy Network.
Guiding Principles
The following principles guide the development of policies in the CANdy Network Governance Framework:
Shared Governance Model
The CANdy Network recognizes that the governance, operation, and use of a Verifiable Data Registry for Canadian government entities requires a shared governance model between and among Members. All Members are committed to prioritizing the collective interests and upholding the guiding principles outlined in this Framework.
Member Sovereignty
Although the CANdy Network has a shared governance model, it does not encroach on the sovereign decision-making rights within Members’ existing authorities. The intent of this Framework is to maximize the independent operation and use of the CANdy Network by its Members.
Openness & Interoperability
Members and non-members MUST use open standards and avoid mechanisms that prevent users' ability to achieve interoperability or data portability within the CANdy Network and across other networks and systems.
Accountability
All CANdy governed roles shall be accountable to each other and must adhere to the purpose, principles, and policies of the CANdy Network Governance Framework. All governed roles shall be responsible for - and must demonstrate compliance with - any other requirements of applicable law.
In-Scope
Roles
The governed Member roles in the CANdy Network production environment are as follows:
The governed Non-member roles which interact with the CANdy Network are as follows:
Other Relevant Stakeholders
In addition to the main actors, the CANdy Network also engages with other stakeholders for specific purposes:
- Technical Integrators - Technology solution providers that integrate their solution with the CANdy Network for purposes of credential issuance, information retrieval, or verification.
Out of Scope
The following topics are outside the scope of this Governance Framework.
- The policies that a Member defines for qualifying and endorsing Issuers, Registered Ledger Readers, and Non-Registered Ledger Readers.
- The policies that a Member defines for qualifying and endorsing schemas, credential definitions, and revocation registry definitions.
- The policies that a Member defines for qualifying and delegating the roles of Trustee, Steward, Network Monitor, or Endorser to an individual.
- The policies that an application, which is integrated with the CANdy Network, sets within their existing authority.
Governed Member Role Policies
Trustee
General Requirements
A Trustee is both an individual and an Indy role that can be assigned to a delegate's decentralized identifier (DID) on the CANdy Network. Trustees act as administrators for their entity's operation and use of the CANdy Network.
A Member SHOULD have at least three Trustees. A Member MAY have a maximum of four Trustees. This ensures that two Trustees from a Member are available as needed to conduct permission changes.
Responsibilities
- Permission and de-permission DIDs to governed roles within the CANdy Network Governance Framework.
- Sign transactions as defined in the CANdy Network's auth_rules
- Execute the directives issued by the Steering Committee concerning CANdy Network policies.
- Inform their respective jurisdictional Steering Committee Administrate overall CANdy Network activities and coordinate with their entity's Stewards, Network Monitors, Endorsers, and other teams.
Onboarding Policies
The requirements to be onboarded as a CANdy Network Trustee are:
- The individual MUST be actively employed by or contracted with their sponsoring Member.
- Each individual acting as a Trustee MUST possess a unique Trustee DID on the CANdy Network, exclusively assigned to the role of Trustee. The DID cannot be assigned to a team.
- Each Member has the right to set their own additional policies and procedures for delegating the role of Trustee to an individual.
Offboarding Policies
- To offboard a Trustee, a Member MUST demote the individual's DID so that they no longer have Trustee privileges assigned to their DID.
- Each Trustee has the right to set their own additional policies and procedures for when and how an individual may be offboarded as Trustee.
Steward
General Requirements
Steward is an Indy role given to entities that operate CANdy Network nodes.
If a jurisdiction operates nodes, they must be operated by a Steward: each Member node MUST have one assigned Steward DID. Stewards are operated by Member teams who have access to their respective Steward DIDs.
Responsibilities
- Stewards are responsible for the operation, performance, and security of any nodes their jurisdiction operates.
- Stewards MUST respect the policies and requirements outlined in the Technical Policies.
- Execute the directives issued by the Steering Committee concerning CANdy Network policies.
- Stewards author and endorse the following transaction types on the CANdy Network:
- Node configuration writes that affect the node they own/operate.
Onboarding Policies
- Individuals designated to the role of Steward must be granted access to the Steward DIDs of their jurisdiction’s nodes on the CANdy Network.
- Unless otherwise directed by the Steering Committee, the responsibility for onboarding individuals to the role of Steward within a jurisdiction lies with the respective jurisdiction�’s Trustees.
Offboarding Policies:
- Unless otherwise directed by the Steering Committee, offboarding of individuals from the role of Steward is the responsibility of the Trustee from the relevant jurisdiction.
Endorser
General Requirements
An Endorser is an Indy role that MUST be assigned to an Endorser DID on the CANdy Network. An Endorser refers to an entity that confirms the validity or authenticity of a transaction before it is written to the verifiable data registry.
Each Member MUST have use of an Endorser service. Members MAY have one or more Endorser service(s). Each Endorser service has a single DID on the CANdy Network. That DID may be controlled by a team or a single individual as per the Members’ own policies. Members have sovereignty over their use of their Endorser service. Endorsers must adhere to their own jurisdictional governance.
Responsibilities
- Endorsers are responsible for endorsing transactions authored by themselves or Issuers.
- Transactions MUST receive endorsement from at least one Endorser specific to their jurisdiction before being authorized for writing onto the CANdy Network. In cases where an Issuer is shared between jurisdictions, collaboration between relevant jurisdictions is required to facilitate endorsement.
- Endorsers can endorse the following transaction types on the CANdy Network:
- DID on the CANdy Network writes for unprivileged Issuers
- Schemas
- Credential Definitions
- Revocation Registry Definitions
- Revocation Registry Entries
- An Endorser MUST adhere to the definition of which transactions they may endorse, as defined by their Trustees.
Onboarding Policies
- The individuals that act as an Endorser for a Member MUST be actively employed or contracted with their sponsoring Member.
- Members MUST maintain a separation of duties for the individuals or entities that act as Trustees and Endorsers on their behalf.
- Endorsers MUST include the alias of a DID owner in the DID document, unless an exception has been granted by the Steering Committee.
- Endorsers MUST validate that an Issuer's DID document complies with the relevant legislation in their jurisdiction.
- Unless otherwise directed by the Steering Committee, the responsibility for onboarding Endorsers within a jurisdiction lies with the respective jurisdiction’s Trustees.
Offboarding Policies
- Unless otherwise directed by the Steering Committee, the offboarding of Endorsers is the responsibility of the Trustees from the relevant jurisdiction.
Network Monitor
General Requirements
Network Monitor is an Indy role given to entities that monitor the CANdy Network as a whole. A Network Monitor has privileged read-only access to nodes on the CANdy Network, providing additional information on the node normally not available to the public. This privileged information should be used only to monitor the health of the CANdy Network and to assist Stewards as needed to maintain high availability.
A Network Monitor MUST have a DID.
Members are not required to run network monitoring to be a part of the CANdy Network.
Responsibilities
Network Monitors MUST adhere to the policies and requirements outlined in the Technical Policies.
Onboarding Policies
- Unless otherwise directed by the Steering Committee, the onboarding of Network Monitors is the responsibility of the Trustees from the relevant jurisdiction.
Offboarding Policies
- Unless otherwise directed by the Steering Committee, the offboarding of Network Monitors is the responsibility of the Trustees from the relevant jurisdiction.
Governed Non-member Role Policies
Issuer
General Requirements
An Issuer is any Canadian entity that has been provisioned a public DID on the CANdy Network and that has not been permissioned to a governed-member role.
Any transaction that an Issuer authors MUST be endorsed by an Endorser before it can be written to the CANdy Network. Currently, Issuers can write updates to their DID Document without endorsement from the Endorser. The owner of a DID can update attributes and their Verification key (Verkey). They cannot change their role.
The issuance of credentials which reference a credential definition associated with their DID on the CANdy Network does not require any endorsement.
Responsibilities
Issuers can author the following transactions to the CANdy Network:
- Credential Schemas
- Credential Definitions
- Revocation Registry Definitions
- Revocation Registry Entries
Following endorsement of the above transactions, Issuers MAY write them to the CANdy Network.
Onboarding Policies
- Issuer DIDs on the CANdy Network can only be provided to Canadian government entities, Indigenous governing bodies, and any other "broader public sector" entity in Canada.
- Unless otherwise directed by the Steering Committee, the onboarding of Issuers is the responsibility of the relevant jurisdiction.
Offboarding Policies
- Once an Issuer has been provisioned with a public DID it is not possible to remove the DID from the CANdy Network. Members can determine what credential definitions an entity can be associated with, but once the association has been made, it cannot (at this time) be reversed.
Non-registered Ledger Reader
General Requirements
Because the CANdy Network is publicly available there are no onboarding, maintenance, or offboarding requirements that this role-type needs to adhere to.
Registered Ledger Reader
General Requirements A Registered Ledger Reader is an entity that a Member recognizes to be trusted. These entities serve as trusted verifiers on the CANdy Network.
Onboarding Policies
- Registered Ledger Reader DIDs on the CANdy Network can only be provided to Canadian government entities, Indigenous governing bodies, and any other "broader public sector" entity in Canada.
- Unless otherwise directed by the Steering Committee, the onboarding of Registered Ledger Readers is the responsibility of the relevant jurisdiction.
Offboarding Policies Unless otherwise directed by the Steering Committee, the offboarding of Registered Ledger Readers is the responsibility of the Trustee from the relevant jurisdiction.
Node Management Guidelines
The following provisions regarding the addition and removal of nodes from the CANdy Network minimize risks to performance, resilience, and data integrity:
A minimum of 4 nodes is required to initiate the base CANdy network.
Members are not required to stand up CANdy nodes to be part of the CANdy Network.
Addition of Nodes
- Members MUST obtain approval from the Governing Board prior to deploying a node on the CANdy Network.
- Following approval, the Member MUST nominate Stewards to run and operate their respective node(s).
Removal of Nodes
- Members who intend to withdraw their node(s) from the CANdy Network MUST provide a minimum of 90 days' written notice to both the ICDTC Governing Board and Steering Committee.
- The Member MUST communicate relevant information regarding the node withdrawal with remaining members prior to decommissioning their node(s), including confirmation that the node scheduled for decommissioning is not the sole repository of the verifiable data registry's Genesis files.
- Before a member's node is decommissioned, the other members of the ICDTC Steering Committee MUST determine if any actions are necessary to maintain the health of the CANdy Network.
- Once the node is taken offline and removed from the CANdy Network, the Member jurisdiction MUST demote the node's associated Steward DID.
- If the Member withdraws specific nodes but remains part of the ICDTC, they MAY retain any combination of the Trustee, Endorser, or Network Monitor roles, as appropriate to their continued involvement. This information MUST be communicated to the ICDTC Steering Committee.
- In the instance that a jurisdiction completely withdraws from the ICDTC, the remaining members MUST ensure the demotion of all the departed member's roles from the CANdy Network (Trustees, Endorsers, Stewards, and Network Monitors).
Risk Management
Each member jurisdiction is responsible for managing risks associated with its nodes on the CANdy Network. The ICDTC Steering Committee members are responsible for coordinating the appropriate mitigation strategies with their respective technical teams and informing the other jurisdictions, as appropriate.
Members are also encouraged to share best practices and insights from their risk assessments; however, each jurisdiction retains full responsibility for ensuring compliance with its own legal and regulatory frameworks.
Audits
Policies for auditing nodes on the CANdy Network are independently set by each member jurisdiction. It is recommended, however, that jurisdictions consider adopting recognized security standards, such as ISO/IEC 27001.
Confidentiality
The Intergovernmental Agreement stipulates the confidentiality of discussions between the Members (clause 9).
Certain CANdy Network Member roles (Trustees, Stewards, and Network Monitors) involve access to privileged technical information concerning the nodes, including software details, versions, and alerts.
Members MUST take reasonable precautions to safeguard the confidentiality and security of this technical information.
Localization
This section covers the policies governing languages and translations for the CANdy Network Governance Framework, denoted by the IETF BCP 47 language tag to identify languages.
Official Languages
The Governance Framework has been developed and executed in English and French and both versions have equal legal standing. All amendments to this framework will be made in both English and French.
Terminology and Notation
The Canadian Digital Trust and Credentials Collaboration Glossary is in development. The beta version is available here: INSERT LINK.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
Appendices
Appendix A
CANdy Network Governed Roles Overview
| Governed Role | CANdy Network Member | Decentralized Identifier (DID) Assignment | Permissions / Transactions |
|---|---|---|---|
| Trustee | ✔️ | 1 DID per Trustee (trustees per member = ≥2 ≤ 4) |
|
| Steward | ✔️ | 1 DID per node | Node configurations that affect the node they own/operate. |
| Network Monitor | ✔️ | 1 DID per Network Monitor | Read-only access |
| Endorser | ✔️ | 1 DID per endorser | Endorses and writes the following transactions to the CANdy Network:
|
| Issuer | ❌ | Subject to jurisdictional policies | Authors:
|
| Non-Registered Ledger Reader | ❌ | No DID | Read and interpret the Transactions recorded on the VDR |
| Registered Ledger Reader | ❌ | 1 DID per Registered Ledger Reader | Read and interpret the Transactions recorded on the VDR |
Appendix B
CANdy Network Roles Schema
