Secure Req 5
<< Back to Baseline Functional Requirements Index
SECURE-5. CREDENTIAL ISSUANCE
Entities that issue or manage credentials and tokens MUST do so in a manner designed to assure that they are granted to the appropriate and intended USER(s) only. Where registration and credential issuance are executed by separate entities, procedures for ensuring accurate exchange of registration and issuance information that are commensurate with the stated assurance level MUST be included in business agreements and operating policies.
Procedures exist to ensure the user(s) who receives the credential and associated tokens is the same user(s) who participated in registration. These can include:
- The use of secure transport for credential and token data (see SECURE-2 (DATA INTEGRITY));
- Out-of-band distribution of credentials or tokens;
- In-person issuance of credentials or tokens.
Attribute verification (i.e., identity proofing) done during registration must be robust enough to provide sufficient confidence in the identity to support the intended use(s) of the credential. Subsequent attribute verification (i.e., proofing) must be executed in a manner consistent with intended use of the attributes.
FICAM TFPAP Trust Criteria, Registration and Issuance, LOA 2-3, #4 (p.21, 37)