About Credential Lifecycle in ActivID Credential Management System

In ActivID CMS, credentials In the context of ActivID, a credential is a collection of one or more credential elements that together provide some form of digitally provable identity. In the context of PIV, a credential refers to the completed PIV card itself. can reside in one of the following three states:

• Issued—Credentials are in a valid state, and all cryptographic operations can be performed.

• On hold—Credentials are temporarily revoked (that is, cannot be used for some cryptographic operations such as digital signature or Windows logon, but can be resumed).

  This state is achieved when the device or individual credentials are suspended (see Suspending a Device), or when a device replacement request for a Lost/Stolen/Damaged or Forgotten device is created.

• Revoked—Credentials are definitively revoked (for example, they cannot be used for some cryptographic operations, such as digital signature or Windows logon, and the state is irreversible).

  This state is achieved when a device is terminated, when a replacement request for a Damaged device is executed, or when a replacement request for a Lost/Stolen device is executed.

The ability to revoke credentials when replacement devices are issued depends on the device application configuration. The operator can configure whether or not to revoke the recovered credentials when the replacement device is issued. For details, see Creating a Device Policy That Recovers Credentials.