The Smart Card Alliance released a report on how PIV and PIV-I can be leveraged by others to fulfill identity needs. Calling the credentials Commercial Identity Verification (CIV), the documents can use the PIV-I specification, technology and data model without the requirement for cross-certification.
Any enterprise can create, issue, and use CIV credentials according to requirements established within that enterprise’s unique corporate environment. This white paper is designed to provide guidance on how enterprises can take advantage of FIPS 201 and the PIV credential specifications to implement a standards-based identity credentialing program.
The paper discusses benefits, describes best practices and technical requirements, and provides a set of reference documents to assist corporations in establishing a secure, reliable, electronically verifiable identity program.
Standards based
One of the advantages of these credentials is that they adhere to a set of standards that is accepted by suppliers, issuers and users. Typically, most access control systems relied on proprietary identity credentials and interoperability was typically confined to a few office sites belonging to a single organization.
A standards-based credential means that any employee’s credential can be accepted by any facility and IT network that adheres to that standard. Enterprises that use this credential and access control products built to support the PIV-I credential can achieve levels of access control security and technical interoperability similar to those available using PIV cards.
The CIV credential is technically compatible with the PIV-I credential specifications. However, a CIV credential issuer need not comply with the strict policy framework associated with issuance and use of the PIV and PIV-I credentials. This freedom enables corporate enterprises to deploy the standardized technologies in a manner that is suitable for their own corporate environments.
The white paper can be downloaded here. ![[end]](/resources/bullet/digitalidnews-4.gif)
I am very surprised that the SCA is suggesting a Commercial Identity Verification (CIV), promoting a technology and data model without the requirement for cross-certification. Without federated trust the technology and data model suggested can only lead to more silo'd implementations that will increase the total cost of ownership. I would expect the SC industry that was so instrumental to federation within the CC ecosystem would not recommend a non-scalable path.