baseid-pctf

Implements all five PCTF components defined by DIACC, providing identity assurance evaluation, consent lifecycle management, hash-chained audit trails, policy validation, and bilingual (EN/FR) compliance reporting.

Key Features

• IAL Evaluation — 11 evidence types, 6 verification methods, Level 1/2/3 scoring with upgrade guidance
• Consent Management — Creation, expiry, revocation, purpose limitation enforcement
• Audit Trails — Hash-chained, tamper-detecting, append-only log with privacy redaction
• Policy Engine — Multi-check validation (assurance, type, issuer, consent) with bilingual errors
• Compliance Reports — Self-assessment covering all 5 PCTF components, EN/FR output

PCTF Component Mapping

PCTF Component	Module	Key Types
Verified Person	assurance	AssuranceLevelEvaluator, EvidenceType, EvidenceBundle
Credential Management	policy	PctfPolicy, PctfValidator, PolicyResult
Notice & Consent	consent	ConsentManager, ConsentRecord, ConsentStatus
Digital Integrity	audit	AuditLog, AuditEntry, RedactionPolicy
Compliance	report	ReportBuilder, PctfComplianceReport, ComponentStatus

Assurance Level Evaluation

Identity proofing evidence is evaluated against PCTF scoring rules:

use baseid_pctf::AssuranceLevelEvaluator;
use baseid_pctf::assurance::*;

let bundle = EvidenceBundle {
    subject: "did:key:z6MkHolder".into(),
    evidence: vec![
        Evidence {
            evidence_type: EvidenceType::InPerson,
            verification: VerificationMethod::VisualInspection,
            issuer: "did:web:servicecanada.gc.ca".into(),
            timestamp: "2026-03-01T00:00:00Z".into(),
        },
        Evidence {
            evidence_type: EvidenceType::Biometric,
            verification: VerificationMethod::BiometricMatch,
            issuer: "did:web:servicecanada.gc.ca".into(),
            timestamp: "2026-03-01T00:00:00Z".into(),
        },
        Evidence {
            evidence_type: EvidenceType::GovernmentPhotoId,
            verification: VerificationMethod::DatabaseCheck,
            issuer: "did:web:servicecanada.gc.ca".into(),
            timestamp: "2026-03-01T00:00:00Z".into(),
        },
    ],
};

let result = AssuranceLevelEvaluator::evaluate_bundle(&bundle);
// result.level == AssuranceLevel::High (Level 3)
// result.pctf_name == "Level 3"
// result.upgrade_possible == false

Scoring Rules

Level	PCTF Name	Requirements
Low	Level 1	Self-asserted identity or unverified evidence
Substantial	Level 2	Verified government document + additional factor
High	Level 3	In-person/supervised + biometric + government photo ID

Evidence Types

GovernmentPhotoId, GovernmentDocument, Biometric, InPerson, SupervisedRemote, DocumentVerification, ChannelBinding, KnowledgeBased, SelfAsserted, AddressDocument, TrustedCredential

Cross-Framework Mapping

PCTF	eIDAS	NIST 800-63	TDIF
Level 1	Low	IAL1	IP1
Level 2	Substantial	IAL2	IP2
Level 3	High	IAL3	IP3

Consent Lifecycle

use baseid_pctf::{ConsentManager, ConsentRecord};

let mut mgr = ConsentManager::new();

// Record consent
mgr.record_consent(ConsentRecord::new(
    "consent-001",
    "did:key:z6MkHolder",        // subject
    "did:key:z6MkVerifier",      // recipient
    vec!["givenName".into(), "dateOfBirth".into()],
    "age-verification",          // purpose
    "2026-03-01T00:00:00Z",      // timestamp
    Some("2026-06-01T00:00:00Z".into()), // expires
));

// Check validity
let valid = mgr.find_valid_consents(
    "did:key:z6MkVerifier", "age-verification", "2026-04-01T00:00:00Z"
);

// Revoke
mgr.revoke_consent("consent-001");

// Check expiry
mgr.check_all_expiry("2026-07-01T00:00:00Z");

Consent Features

Feature	Method	Description
Create	ConsentRecord::new()	Active consent with purpose + data elements
Validate	is_valid(now)	Checks Active + not expired
Purpose check	covers(elements, purpose)	Verifies consent matches request
Revoke	revoke()	Transitions to Revoked status
Expire	check_expiry(now)	Auto-transitions to Expired
Query	find_valid_consents()	By recipient + purpose + time

Audit Trail

use baseid_pctf::AuditLog;
use baseid_pctf::audit::{AuditAction, RedactionPolicy, RedactableField};
use serde_json::json;

let mut log = AuditLog::new();
log.append("e-1", "2026-03-01T10:00:00Z", AuditAction::CredentialIssued,
    "did:web:gov.ca", json!({"type": "CanadianDigitalID"}));
log.append("e-2", "2026-03-01T11:00:00Z", AuditAction::ConsentGiven,
    "did:key:z6MkHolder", json!({"verifier": "did:key:z6MkVerifier"}));

// Tamper detection
assert!(log.verify_chain());

// Query
let issued = log.by_action(AuditAction::CredentialIssued); // 1 entry
let march = log.by_time_range("2026-03-01T00:00:00Z", "2026-03-31T23:59:59Z");

// Export with PII redaction
let policy = RedactionPolicy {
    redact: vec![RedactableField::Actor, RedactableField::Details],
    replacement: "[REDACTED]".into(),
};
let jsonl = log.export(&policy); // JSON Lines format

Audit Actions

CredentialIssued, CredentialPresented, CredentialVerified, CredentialRevoked, ConsentGiven, ConsentRevoked, DidCreated, DidResolved

Policy Validation

use baseid_pctf::{PctfPolicy, PctfValidator};
use baseid_pctf::policy::PresentationContext;
use baseid_core::types::AssuranceLevel;

let policy = PctfPolicy {
    min_assurance_level: AssuranceLevel::Substantial,
    require_consent: true,
    require_audit: true,
    accepted_types: vec!["CanadianDigitalID".into()],
    trusted_issuers: vec!["did:web:gov.ca".into()],
};

let result = PctfValidator::validate_presentation(&policy, &ctx, Some(&consent_mgr));
if !result.compliant {
    for violation in result.violations() {
        eprintln!("{}: {}", violation.name, violation.message);
        // Bilingual: "Assurance level Level 1 below minimum Level 2 /
        //  Le niveau d'assurance Level 1 est inférieur au minimum Level 2"
    }
}

Policy Checks

Check	Field	Description
assurance_level	min_assurance_level	Credential IAL >= policy minimum
credential_type	accepted_types	Type in whitelist (empty = accept all)
trusted_issuer	trusted_issuers	Issuer in whitelist (empty = accept all)
consent	require_consent	Valid consent exists for this presentation
audit	require_audit	Informational — flags audit requirement

Compliance Reporting

use baseid_pctf::ReportBuilder;
use baseid_core::types::AssuranceLevel;

let report = ReportBuilder::new(
    "BaseID Wallet",
    AssuranceLevel::Substantial,
    "2026-03-22T00:00:00Z",
)
.with_assurance_evaluation(true, 11)
.with_consent_management(true)
.with_audit_logging(true)
.with_crypto_integrity(true)
.with_revocation(true)
.build();

// report.overall_status == Conformant
// report.components.len() == 5
// report.title_fr == "Rapport d'auto-évaluation de conformité au CCNIP"
let json = serde_json::to_string_pretty(&report).unwrap();

Conformance Testing

BaseID validates protocol compliance through two mechanisms:

OpenID Foundation Conformance Suite

Tests OID4VCI 1.0, OID4VP 1.0, and HAIP 1.0 against the official OIDF test suite:

cd tools/conformance
bash setup.sh              # Clone + build + TLS certs
podman-compose up -d       # Start conformance suite
bash run-tests.sh all      # Run OID4VCI + OID4VP + HAIP tests

See tools/conformance/README.md for details.

PCTF Conformance Criteria Matrix

A complete mapping from every PCTF atomic process (BASE, SOUR, RESO, ESTAB, VALID, EVID, VERIF, MAINT) to BaseID code and tests is maintained in PCTF.md. Each criterion is tagged as:

• IMPL — Implemented in BaseID code with tests
• INFRA — BaseID provides infrastructure; Responsible Authority configures policy
• PROC — Process/policy requirement fulfilled by the Responsible Authority

Certification Pathway

PCTF certification is achieved through the DIACC Voila Verified Trustmark Program:

1. Self-assessment — ReportBuilder generates bilingual compliance report
2. Readiness advisor — Engage a DIACC-accredited advisor
3. Level 1 assessment — DTLab documentation review
4. Level 2 assessment — DTLab technical examination
5. Trustmark issuance — DIACC issues Voila Verified trustmark

Related Crates

• baseid-core — AssuranceLevel, AssuranceFramework
• baseid-wallet-core — Uses ConsentRecord in presenter
• baseid-verifier-core — VerificationPolicy with assurance checks
• baseid-issuer-core — Audit logging for issuance
• baseid-eidas — EU eIDAS 2.0 compliance (parallel framework)