Device Policies that Comply with PIV Standards

In ActivID CMS, there are two basic models of PIV Personal Identity Verification (technical standard of "HSPD-12") card issuance: one-step and two-step issuance.

One-step issuance – an example using Face-to-Face Device Policy. ActivID CMS is responsible for full personalization of the card. The activation process combines both full personalization and activation of the card in one step. When issued, the card can be used to access both physical and logical systems.
Two-step issuance – an example using Service Bureau (SB) Activation Policy:
- Step 1: An external Service Bureau produces the cards containing all PIV personalization information (including Biometric and CHUID Card Holder Unique Identifier signed data), but does not encompass the personalization of PIV PKI applications.
- Step 2 (Activation Policy): After it is produced, IDMS A collection of systems, processes, procedures, applications, database management systems, and interfaces that work together to manage and protect the identity information of PIV card applicants. The IDMS generally falls within the IDPRS domain. sends a CPR The Card Production Request (CPR) contains a list of user-specific attributes that will be stored, fully or partially, in the PIV Metadata database, and will be loaded on the PIV card during the issuance. with an SB activation policy that mainly contains PKI application personalization. The card must be activated at an ActivID CMS issuance station. This process involves one-to-one fingerprint verification of the user and unlocking the card.

Note: The two-step issuance process can also include the use of ActivID Batch Management System, using a similar process.
In the following section, we provide examples on how to configure Face-to-Face device polices using Entrust, Microsoft, Symantec MPKI v8, and UniCERT UPI Certificate Authorities.

Face-to-Face (F2F) Device Policy Configuration

For Face-to-Face PIV Device policy (for example, SP 800-73-3-compliant profile), four applications are mandatory while the rest are optional.

PIN – Mandatory application. The personal identification number (PIN) that is known only to the owner of the card.
PIV_AUTHENTICATION – Mandatory application. Contains a PKI certificate and key pair used to authenticate the user.
CHUID – Mandatory application. This container stores the Cardholder Unique Identifier.
PIV Security Object – Mandatory application. This container stores data compliant with the matching readable travel document from the International Civil Aviation Organization (ICAO). An update of this application is required if at least one PIV_Key_Management_History application is added and configured.
CARD_AUTHENTICATION – Optional application. This key and certificate (if the key is an asymmetric key) supports PIV Card Authentication for device to device authentication purposes (physical access). When the Card Authentication Key is a symmetric key, the CHUID authentication key map shall be present and specify the cryptographic algorithm and key storage location.
PIV_DIGITAL_SIGNATURE – Optional application. This key and certificate supports the use of digital signatures for the purpose of document signing.
PIV_ENCRYPTION – Optional application. This key and certificate supports the use of encryption for the purpose of confidentiality. This key pair is escrowed by the issuer for key recovery purposes.
PIV Fingerprint 1 – Optional application. This container stores the biometric template of the user’s fingerprint.
PIV_Facial_Image – Optional application. This container stores the biometric template of the user’s facial image.
PIV_Printed_Information – Optional application. This container stores the duplicate of the information printed on the body of the card (for example, name or affiliation).
PIV_Iris – Optional application. This container stores the biometric template of the user’s iris image.
PIV_Key_Management_History_1-20 – Optional application. These containers store keys and certificates that have been retired. When at least one of these containers is configured, the PIV_Key_History container becomes mandatory.
PIV_Key_History – Optional application. This container stores the number of retired keys that are stored on the card. This application is required when at least one of the PIV_Key_Management_History containers is configured.

Activation Policy Configuration

To create an Activation PIV Card policy, up to four (4) PKI applications will be configured on the card. Only one is mandatory.

PIV_AUTHENTICATION – Mandatory application. The PIV Authentication Key as defined in FIPS 201 Federal Information Processing Standard 201 (NIST standard for HSPD-12/PIV). is used to authenticate the card and user using the Personal Identification Number (PIN).
CARD_AUTHENTICATION – Optional application. This contains a key (symmetric or asymmetric) used for device to device authentication purposes (physical access).
PIV_DIGITAL_SIGNATURE – Optional application. This contains a PKI certificate and key pair used to perform digital signatures.
PIV_ENCRYPTION – Optional application. This contains a PKI certificate and key pair used to perform data encryption.

Certificate Authority Configuration

You must make some modifications to your selected CA The Certificate Authority (CA) issues and manages security credentials and public keys for message encryption in a networks environment. in order to be compliant with the PIV workflow. These modifications include some global configuration changes as well as defining the PIV certificate templates that will be used in the PIV card policies. These modifications are detailed by each CA provider.

The PIV certificate templates are based on the PIV Data Model listed in the following table.

PIV Data Model
PKI Slot Certificate Attribute	Card_Authentication	Authentication	Digital_Signature	Encryption
SubjectName	NULL (or FASC-N)	DN (default)	DN (default)	DN (default)
SubjectAltName	URI = UUID OtherName = FASCN Critical (if subjectDN = NULL)	URI = UUID OtherName = UPN OtherName = FASCN Critical (if SubjectDN = NULL)	Rfc822Name = user email	Rfc822Name = user email
Key Usage	Signature Critical	Signature Critical	Signature and non-repudiation Critical	Key encipherment Critical
Enhanced Key Usage	2.16.840.1.101.3.6.8 id-PIV-cardAuth Critical	1.3.6.1.4.1.311.20.2.2 Smart Card Logon 1.3.6.1.5.5.7.3.2 TLS Client authentication 1.3.6.1.5.2.3.4 id-pkinit-KPClientAuth	1.3.6.1.5.5.7.3.4 id-kp-emailProtection 1.3.6.1.4.1.311.10.3.12 MSFT Document Signing 1.2.840.113583.1.1.5 Adobe Certified Document Signing
Certificate Policy	2.16.840.1.101.3.2.1.3.17 id-fpki-common-cardAuth	2.16.840.1.101.3.2.1.3.13 id-fpki-common-authentication	2.16.840.1.101.3.2.1.3.6 id-fpki-common-policy	2.16.840.1.101.3.2.1.3.6 id-fpki-common-policy
Authority Info Access	1.3.6.1.5.5.7.48.1 OCSP access method 1.3.6.1.5.5.7.48.2 Certificate Authority Issuer access method	1.3.6.1.5.5.7.48.1 OCSP access method 1.3.6.1.5.5.7.48.2 Certificate Authority Issuer access method	1.3.6.1.5.5.7.48.1 OCSP access method 1.3.6.1.5.5.7.48.2 Certificate Authority Issuer access method	1.3.6.1.5.5.7.48.1 OCSP access method 1.3.6.1.5.5.7.48.2 Certificate Authority Issuer access method
CRL Distribution Point	LDAP and HTTP URLs	LDAP and HTTP URLs	LDAP and HTTP URLs	LDAP and HTTP URLs
NACI	Yes	Yes	No	No
Mandatory or Optional PKI Slot	Optional	Mandatory	Optional	Optional
PKI Usage Access Right	PIN always	PIN once	PIN always	PIN once