Basic In-Person Subscriber Credential Issuance, v1.0
Evidence for Proper Credential Issuance (EvidenceforProperCredentialIssuance)
Is there evidence that the trustmark applicant issues credentials in-person as required? Acceptable evidence may take the form of policies, procedures, practice statements, demonstrated technical capabilities, or assessment reports. Describe the evidence that demonstrates conformance.
Evidence that Demonstrates Conformance
Conformance Criteria (1)
In-Person Credential Issuance
The CSP MUST issue credentials to subscribers in-person.
Registration and Issuance Table
Registration and Issuance Table
Section 5: Registration and Issuance Processes
|Trustmark Reference Attribute||https://artifacts.trustmarkinitiative.org/lib/trustmark-definitions/basic-in-person-subscriber-credential-issuance/1.0//trustmark-reference/|
|Keywords||Identity, Identity Assurance, CSP, Credential Service Provider, IDP, Identity Provider, Identity Proofing, Registration, RA, Registration Authority,|
|Target Stakeholder||Organizations that are interested in implementing or making use of digital identities in a manner that complies with widely accepted identity management standards and practices such as NIST Special Publication 800-63-2.|
|Target Recipient||Credential Service Providers (CSPs) whose subscriber registration and credential issuance practices require formal vetting.|
|Target Relying Party||Relying Parties (RPs) that wish to see evidence of the vetting of their Credential Service Provider (CSP) collaborators' registration and credential issuance practices.|
|Target Provider||Organizations that audit or evaluate other organizations for compliance with widely accepted identity management standards and practices such as NIST Special Publication 800-63-2.|
|Provider Eligibility Criteria||Any organization or business entity may act as a Trustmark Provider for trustmarks under this Trustmark Definition.|
|Assessor Qualifications||Any individual employed or contracted by the Trustmark Provider may act as the assessor for trustmarks under this Trustmark Definition.|
|Trustmark Revocation Criteria||For any trustmark issued under this Trustmark Definition, the Trustmark Provider must revoke the trustmark upon any condition whereby one or more Conformance Criteria cease to be satisfied.|
|Extension Description||This Trustmark Definition requires no extension data.|
|Legal Notice||This document and the information contained herein is provided on an "AS IS" basis, and the Georgia Tech Research Institute disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, the Georgia Tech Research Institute disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.|
|TFPAP-LOA2||FICAM Trust Framework Solutions (TFS) Trust Framework Provider Adoption Process (TFPAP) for All Levels of Assurance, v2.0.2. March, 14, 2014. Appendix A-2: Assurance Level 2. Available at http://www.idmanagement.gov/sites/default/files/documents/FICAM_TFS_TFPAP_0.pdf.|
|SP800-63-2||NIST Special Publication 800-63-2: Electronic Authentication Guideline. August 2013. Available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf.|
|TFPAP-LOA3||FICAM Trust Framework Solutions (TFS) Trust Framework Provider Adoption Process (TFPAP) for All Levels of Assurance, v2.0.2. March, 14, 2014. Appendix A-3: Assurance Level 3. Available at http://www.idmanagement.gov/sites/default/files/documents/FICAM_TFS_TFPAP_0.pdf.|
A party undergoing the processes of registration and identity proofing.
|Approved Cryptographic Method||FIPS approved or NIST recommended. An algorithm or technique that is either (1) specified in a FIPS or NIST Recommendation, or (2) adopted in a FIPS or NIST Recommendation.|
A category of tokens that is either "something you know" (e.g., a password), "something you have" (e.g., a cryptographic key), or "something you are" (e.g., a fingerprint).
|Authentication Protocol / Authentication Scheme||
A defined sequence of messages between a claimant and a verifier that demonstrates that the claimant has possession and control of a valid token to establish his/her identity, and optionally, demonstrates to the claimant that he or she is communicating with the intended verifier. An authentication protocol may also define the generation of an authentication assertion to be provided to an RP.
|Authentication Protocol Run||
An exchange of messages between a claimant and a verifier that executes an authentication protocol and results in authentication, or authentication failure, between the two parties.
A party whose identity is to be verified using an authentication protocol.
An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a subscriber. A credential may be maintained by the subscriber to which the credential was issued or by the CSP that issued the credential.
|Credential Service Provider||CSP||
An entity that issues or registers subscriber tokens and issues credentials to subscribers (i.e, a CSP conducts the issuance process). A CSP may encompass RAs and verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use.
|Established Policy, Procedure, or Practice Statement||
A policy, procedure, or practice statement that has been formally adopted and put into use by an entity.
|Established Technical Capability||
The ability to accurately implement and maintain, as part of normal business operations, a technical mechanism for achieving some goal.
|External RA Designee||
An RA designee that is governed by an entity other than the CSP that it serves.
|External Verifier Designee||
A verifier designee that is governed by an entity other the CSP that it serves.
|Federal Identity, Credential, and Access Management||FICAM||
An initiative for implementing ICAM principles within the U.S. Federal Government.
The process by which a CSP and an RA collect and verify information about a person for the purpose of issuing credentials to that person.
|Identity Provider||IDP||This term may be used either as a synonym to CSP, or to denote a system used to perform the token / credential validation functions of a CSP and the authentication and assertion issuance functions of a verifier.|
|Identity Relying Party||identity RP||see "RP"|
The process of issuing tokens or credentials to a subscriber of a CSP.
|Look-Up Secret Token||A physical or electronic token that stores a set of secrets shared between the claimant and the CSP. The claimant uses the token to look up the appropriate secret(s) needed to respond to a prompt from the verifier (the token input).|
|Memorized Secret Token||A secret shared between the subscriber and the CSP.|
A token that uses two or more factors to achieve authentication.
An authentication scheme, or series of authentication schemes used together, in which one token is used to obtain a second token.
An authentication scheme in which the claimant presents token authenticators generated by two or more tokens (not using a multi-stage process) to prove his or her identity to the verifier. The combination of tokens is characterized by the combination of factors used by the tokens (both inherent in the manifestation of the tokens, and those used to activate the tokens).
|National Institute of Standards and Technology||NIST||NIST is the federal technology agency that works with industry to develop and apply technology, measurements, and standards.|
|Out-of-Band Token||A physical token that is uniquely addressable and can receive a Verifier-selected secret for one-time use. The device is possessed and controlled by the Claimant and supports private communication over a channel that is separate from the primary channel for e-authentication. The token authenticator is the received secret and is presented to the Verifier using the primary channel for e-authentication.|
|Personally Identifiable Information||PII||
Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.
A statement of criteria to which an entity is expected to conform.
A formal statement of the practices followed by a party. A practice statement usually describes the policies and practices of the party and can become legally binding.
|Pre-Registered Knowledge Token||A series of responses to a set of prompts or challenges. These responses may be thought of as a set of shared secrets. The set of prompts and responses are established by the Subscriber and CSP during the registration process.|
A sequence of steps that achieves some stated goal.
|RA Designee||An RA designated by a particular CSP to conduct registration and/or identity proofing processes on behalf of that CSP. An RA designee may be governed directly by the relying CSP (e.g., a department or business unit of the CSP), or by an entity external to the relying CSP.|
The process through which an applicant applies to become a subscriber of a CSP and an RA validates the identity of the applicant on behalf of the CSP. In other words, registration includes identity proofing and refers to the registration by an RA of the results of performing identity proofing on an applicant.
|Registration And Issuance||
The sequence of the registration and issuance processes.
An entity that establishes and vouches for the identity or attributes of a subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s). It is important for an RA to be trusted by the CSPs and applicants that it serves and RPs that rely on the identity proofing that it does.
An entity that relies upon a subscriber's credentials or verifier's assertion of an identity, typically to process a transaction or grant access to an information system.
A secret used in authentication that is known to the claimant and the verifier.
|Shared Secret File||
A file held by a CSP or verifier that contains secrets held between the CSP or verifier and its subscribers or claimants.
A token that uses one of the three factors to achieve authentication.
An authentication scheme in which the claimant presents a single token authenticator to prove his or her identity to the verifier.
A party who has received a credential or token from a CSP.
Something that a claimant possess and controls (typically a cryptographic module or password) that is used to authenticate the claimant's identity.
The output value generated by a token. This value is one that is provided to a protocol stack to prove that a claimant possess and controls a token. Protocol messages sent to a verifier are dependent upon the token authenticator, but may or may not explicitly contain it.
|Trust Framework Provider Adoption Process||TFPAP||The Federal Identity, Credential, and Access Management (FICAM) Trust Framework Provider Adoption Process is a documented process by which the U.S. federal government approves Trust Framework Providers (TFPs) to perform the function of assessing and qualifying credential service providers (CSPs) under the FICAM Trust Framework Solutions (TFS) program.|
An entity that verifies a claimant's identity by verifying the claimant's possession and control of a token using an authentication protocol. To do this, the verifier may also need to validate credentials that link the token and identity and check their status.
|Verifier Designee||A verifier designated by a particular CSP to conduct authentication protocol run processes on behalf of that CSP. A verifier designee may be governed by the CSP (e.g., a department or business unit of the CSP), or by an entity external to the CSP.|