Secure Req 5

From IDESG Wiki
Jump to: navigation, search

<< Back to Baseline Functional Requirements Index

SECURE-5. CREDENTIAL ISSUANCE

Entities that issue or manage credentials and tokens MUST do so in a manner designed to assure that they are granted to the appropriate and intended USER(s) only. Where registration and credential issuance are executed by separate entities, procedures for ensuring accurate exchange of registration and issuance information that are commensurate with the stated assurance level MUST be included in business agreements and operating policies.

SUPPLEMENTAL GUIDANCE

Procedures exist to ensure the user(s) who receives the credential and associated tokens is the same user(s) who participated in registration. These can include:

  • The use of secure transport for credential and token data (see SECURE-2 (DATA INTEGRITY));
  • Out-of-band distribution of credentials or tokens;
  • In-person issuance of credentials or tokens.

Attribute verification (i.e., identity proofing) done during registration must be robust enough to provide sufficient confidence in the identity to support the intended use(s) of the credential. Subsequent attribute verification (i.e., proofing) must be executed in a manner consistent with intended use of the attributes.

REFERENCES

FICAM TFPAP Trust Criteria, Registration and Issuance, LOA 2-3, #4 (p.21, 37)

APPLIES TO ACTIVITIES

CREDENTIALING

KEYWORDS

CREDENTIAL, DATA-INTEGRITY, PROCESS, PROVISIONING, SECURITY, TOKEN



Quick Links: SALS | Baseline Functional Requirements v1.0 | Glossary |