Credential Lifecycle Guide

From NIEF Wiki
Revision as of 20:39, 9 April 2019 by Jeff.Krug (talk | contribs) (Created page with "==About== Covers basic lifecycle management for authenticators. FIDO specifics TBD. ==Issuance== Address initial issuance. ===Enrollment=== * Credential issuance happens as f...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

About

Covers basic lifecycle management for authenticators. FIDO specifics TBD.

Issuance

Address initial issuance.

Enrollment

  • Credential issuance happens as final part of identity proofing process.
  • Authenticator is bound at this time.

Redundancy

  • Should issue multiple and back-up credentials.

Add-on

  • Allow user to add new authenticators of equal or lesser strength than the authenticator used for current session; useful for generating back-up credentials.

Use Cases

Lost Authenticator

  • Other login methods (potentially for reissuance).
  • Reporting loss (potentially trigger revocation).

Reissuance

  • Replace credential
  • In-person
  • Necessitate new enrollment?
  • Viable via redundant credentials.

Expiration

  • Trigger reissuance before expiration
  • Credential no longer valid

Revocation

  • Mark credential as no longer valid.