Card Production Request 2.8.1 Schema

Policy

Optional

PIV-I or PIV

n/a

This indicates if the CPR request is intended for a PIV or PIV-I Card.

Based on the value, ActivID CMS may check for mandatory / optional data element to be present in the CPR. Specifically:

For PIV-I, the usage of UUID is mandatory and the FASC-N must have a specific format. Use the following values:

A UUID is present in the CPR GUID field.

The FASC-N conforms to the standard specification (starts with 14 ‘nines’).

For PIV policy, the usage of the UUID is optional, in that case:

The FASC-N shall not start with 14 nines.

The UUID is optional.

StandardRevision

Optional

800-73-1 or 800-73-3

n/a

This indicates the revision level for the issued cards. This affect the following CPR elements:

800-73-1:

OrganizationalAffiliation from CPR to map to Employee Affiliation Line 2(0x03)

OrganizationalAffiliation2 is ignored

800-73-3:

Moved: OrganizationalAffiliation (optional) from CPR maps to OrganizationalAffiliation (Line1) – (0x07).

New: OrganizationalAffiliation2 (optional) from CPR maps to OrganizationalAffiliation (Line2) – (0x08).

800-73-3 Appendix A.

FIPS201 – Section 4.1.4.1 - zone 10

SecurityClearances

Required

See comment

See comment

At a minimum the NACI indicator attribute shall be defined in the Security clearance data element:

NACIIndicator: Boolean - Mandatory.

SecurityClearance: Complex - Optional - This element provides the optional ability to include the clearance itself in digital form, such as a digital scan of an analogue document, or an electronic form.

FIPS 201 – Appendix D.2.

CardholderId

Required

String

1\None

Used to store binding with external IDMS User identifier.

FullName

Required

String

1\32

Full Name as specified in FIPS 201. This value will be added to the 800-73-1 printed information buffer.

Care must be taken that this value is the concatenation of the value of the following attributes used for printing:

• LastName

• FirstNameAndMiddleInitial

800-73-1 - Appendix A.

FIPS201 – Section 4.1.4.1 - Zone 2

EmployeeAffiliation

Required

String

1\20

This value will be added to the 800-73-3 printed information buffer (as Employee Affiliation) and printed on the card.

800-73-1 - Appendix A.

FIPS201 – Section 4.1.4.1 - Zone 8

OrganizationalAffiliation

Optional

String

1\32

This value will be added to the 800-73-3 printed information buffer (as Organization Affiliation) and printed on the card.

800-73-3 Appendix A.

FIPS201 – Section 4.1.4.1 - zone 10

OrganizationalAffiliation2

Optional

String

1\32

This value will be added to the 800-73-3 printed information buffer (as Organizational Affiliation 2) and printed on the card.

DepartmentAffiliation

Optional

String

1\NA

This value can be used to form the dn according to the common policy.

X509 Certificate Policy for the US Federal PKI Common Policy Framework v 2.4 02/15/06 Section 3.1.1.

AffiliateSuffix

Required

String

1\NA

This value can be used to form the dn according to the common policy for federal contractors and other affiliated persons.

For non-affiliates the value should be left empty in the CPR.

X509 Certificate Policy for the US Federal PKI Common Policy Framework v 2.4 02/15/06 Section 3.1.1.

ExpirationDate

Required

YYYYMMDD

8\8

PIV card expiration date. This value will be added to the 800-73-1 printed information buffer, printed on the card and also added to the CHUID buffer.

Additionally, this attribute may be printed, formatted as MMMYYYY, in Zone 19 as described in section 2.3 of SP800-104.

See also ExpirationDateShort.

800-73-1 Section 1.8.3

FIPS201 – Section 4.1.4.1 Zone 14 –800-104 Section 2.3 Zone 19

AgencyCardSerialNumber

Required

String

10\10

Agency card serial number. This value will be added to the 800-73-1 printed information buffer and printed on the card.    

800-73-1 Appendix A.

FIPS201 – Section 4.1.4.1 - zone 1

IssuerIdentification

Required

String

15\15

Issuer Identification. This value will be added to the 800-73-1 printed information buffer and printed on the card.

800-73-1 Appendix A.

FIPS201 – Section 4.1.4.1 - Zone 2

Photo

Required

BiometricType

See comment

The Photo data element requires the CBEFF_BIOMETRIC_RECORD and some of the CBEFF_HEADER values to be set in the CPR as attributes.

ActivID CMS will compute the CBEFF_SIGNATURE_BLOCK from the provided data, and also from other CPR data elements.

800-76-1 – Table 7

Photo:

CBEFF_BIOMETRIC_RECORD data elements

Required

See comment

See comment

Type: String – Mandatory. Must be set to 385-2004 for picture.

Photo data element value: Base64 – Mandatory. The Cardholder facial image stored in a CBEFF_BIOMETRIC_RECORD compliant with 800-76-1[FACESTD].

The CBEFF_BIOMETRIC_RECORD shall contain all of the Facial Record Header and all the Facial Record data and shall not include the CBEFF_HEADER or CBEFF_SIGNATURE_BLOCK.

800-76-1 [FACESTD] – Section 5.2

Photo:

CBEFF_HEADER values data elements

Required

See comment

See comment

Header: String – Mandatory. Must be CBEFF.

The following attributes are mandatory and must correspond to the values for the corresponding Cardholder facial image CBEFF_BIOMETRIC_RECORD.

The attributes format must be in compliance with 800-76-1.

• DataQuality: int – Mandatory.

Range: 2\100

• Creator: String – Mandatory.

Min/Max Length = 1\18

• CreationDate: String – Mandatory.

Format = YYYYMMDDhhmmss

• ValidityStartDate: String – Mandatory.

Format = YYYYMMDDhhmmss

• ValidityEndDate: String – Mandatory.

Format = YYYYMMDDhhmmss

ActivID CMS will compute and fill-in the other CBEFF_HEADER values with appropriate values.

800-76-1 – Table 8.

Fingerprints

Required

The fingerprints data element requires the CBEFF_BIOMETRIC_RECORD and some of the CBEFF_HEADER values to be set in the CPR.

ActivID CMS will compute the BEFF_SIGNATURE_BLOCK from the provided data and also from other CPR data elements.

800-76-1 – Table 7

Fingerprints: CBEFF_BIOMETRIC_RECORD data elements

Required

See comment

See comment

Type: String – Mandatory. Must be set to 378-2004 for Fingerprint.

Fingerprints data element value:

• Base64 – Mandatory. The fingerprints stored in a CBEFF_BIOMETRIC_RECORD compliant with 800-76[MINUSTD].

• The CBEFF_BIOMETRIC_RECORD shall contain all Fingerprint Record Headers and all Fingerprints Record data and shall not include the CBEFF_HEADER or CBEFF_SIGNATURE_BLOCK.

• Per 800-73-1 and 800-76-1, the record shall contain 2 fingerprint templates for the primary and secondary fingers (2 finger view records).

800-76-1 [MINUSTD] – Section 3.4.3

FingerprintsCBEFF_HEADER values data elements

Required

See comment

See comment

Header: String – Mandatory. Must be CBEFF.

The following attributes are mandatory and must correspond to the values for the corresponding fingerprints CBEFF_BIOMETRIC_RECORD. The attributes format must be in compliance with 800-76:

• DataQuality: int - Mandatory.

(2\100)

• Creator: String – Mandatory.

Min/Max Length = 1\18

• CreationDate: String - Mandatory.

Format = YYYYMMDDhhmmss

• ValidityStartDate:String – Mandatory.

Format = YYYYMMDDhhmmss

• ValidityEndDate: String – Mandatory.

Format = YYYYMMDDhhmmss

ActivID CMS will compute and fill-in the other CBEFF_HEADER values with appropriate values.

800-76-1 – Table 8.

Iris

Optional

The iris data element requires the CBEFF_BIOMETRIC_RECORD and some of the CBEFF_HEADER values to be set in the CPR.

ActivID CMS will compute the CBEFF_SIGNATURE_BLOCK from the provided data and also from other CPR data elements.     

800-76-2

Iris: CBEFF_BIOMETRIC_RECORD data elements

Required

See comment

See comment

Type: String – Mandatory.  Must be set to 19794-6 for Iris.

Iris data element value:  Base64 – Mandatory.

The iris stored in a CBEFF_BIOMETRIC_RECORD compliant with 800-76-2.

The CBEFF_BIOMETRIC_RECORD shall contain all of the Iris General Record Header and all the Iris Record data and shall not include the CBEFF_HEADER or CBEFF_SIGNATURE_BLOCK.

800-76-2 – Table 14

800-76-2 – Table 14

Required

See comment

See comment

Header: String - Mandatory. Must be CBEFF.

The following attributes are mandatory and must correspond to the values for the corresponding iris CBEFF_BIOMETRIC_RECORD.

The attributes format must be in compliance with 800-76-2:

• DataQuality: Shall be 50 per standard

• Creator: String - Mandatory.

Min/Max Length = 1\18

• CreationDate: String – Mandatory.

Format = YYYYMMDDhhmmss

• ValidityStartDate:String – Mandatory. 

Format = YYYYMMDDhhmmss

• ValidityEndDate: String – Mandatory. 

Format = YYYYMMDDhhmmss

ActivID CMS will compute and fill-in the other CBEFF_HEADER values with values specified in the standard:

• Format Owner: 0x0101

• Format Type: 0x0009

• Biometric Type: 0x0000 0002

• Biometric Data Type: b010xxxxx     

800-76-2 – Table 20.

FASCN data element

Required

Base64

25\25

The value of the FASC-N should be built according to the TIG-SCEPACS and 800-73 specifications.

TIG_SCEPACS_v2.2 - Section 6

800-73 - Section 1.8.3

AgencyCode data element

Optional

String

4\4

The value of the Agency code is optional and should be used according to the TIG-SCEPACS, to work around the limitation of alphanumeric agency codes.

TIG_SCEPACS_v2.2 - Section 2.1

Organization Identifier data element

Optional

String

4\4

The value of the organization code is optional and should be used according to the TIG-SCEPACS to work around the limitation of alphanumeric OI.

TIG_SCEPACS_v2.2 - Section 2.1

DUNS data element

Optional

String

9\9

The value of the DUNS is optional and should be used according to the TIG-SCEPACS, when agency code is 9999.

TIG_SCEPACS_v2.2 - Section 2.1

GUID data element

Required

’0000000000000000’ or Base64 encoded value    

The value of the GUID is mandatory and should be set as a string of 16 ‘0’ characters or base64 encoded.

The 16 ‘0’ string encoding is kept for backward compatibility purposes. The base64 encoding is preferred.

The GUID may contain a base64 encoded UUID value to cater for PIV-I use cases.

800-73 - Section 1.8.3

Thumbnail photo

Required

Base64

Depends on print layout

FIPS201 section 4.1.4.1 Zone 1

Last Name

Required

String

Depends on print layout

See FullName comment.

FIPS201 section 4.1.4.1 First line of zone 2

First Name and Middle initial

Required

String

Depends on print layout

See FullName comment.    

FIPD 201 section 4.1.4.1 Second line of zone 2

Signature image

Optional

Base64

Depends on print layout

Binary image of cardholder signature.

FIPS201 section 4.1.4.3 Zone 3

AgencySpecificText1

Optional

String

Depends on print layout

Optional Items on the Front of the Card.

If used, then this area can be used for printing agency specific requirements, such as employee status.

FIPS201 section 4.1.4.3 Zone 4

Rank

Optional

String

Depends on print layout

Optional Items on the Front of the Card.

Data format is at department or agency discretion.    

FIPS201 section 4.1.4.3 Zone 5

PDF417

Optional

String

Depends on print layout

If used, then the PDF bar code placement shall be printed on left side of the card front surface.

If Zone 3 (a cardholder signature) is used, then the size of the PDF bar code may be affected.

Departments and agencies are encouraged to ensure that a PDF used in conjunction with a PIV card containing a cardholder signature will satisfy the anticipated PDF data storage requirements.

FIPS201 section 4.1.4.3 Zone 6

Header

Optional

String

Depends on print layout

Optional Items on the Front of the Card.

If used, then the default text should be “United States Government”.

Departments and agencies may also choose to use this zone for other department or agency-specific information, such as identifying a Federal emergency responder role.

FIPS201 section 4.1.4.3 Zone 9

AgencySeal

Optional

String

Depends on print layout

Optional Items on the Front of the Card.

This is a reference to the seal selected by the issuing department, agency, or organization.

FIPS201 section 4.1.4.3 Zone 11

Footer

Optional

String

Depends on print layout

Optional Items on the Front of the Card.

The footer is the preferred location for the Emergency Response Official Identification label.

FIPS201 section 4.1.4.3 Zone 12

ColorCode    

Optional

String

Depends on print layout

Optional Items on the Front of the Card.

This is a reference to the color-coding to use.

Color-coding may be used for additional identification of employee affiliation.

If color-coding is used, it shall be used as a background color for Zone 2 (name).

FIPS201 section 4.1.4.3 Zone 15

PhotoBorderColorCode

Optional

String

Depends on print layout

Optional Items on the Front of the Card.

This is a reference to the photo border color-coding to use.

A border may be used with the photo to further identify employee affiliation.

This border may be used in conjunction with Zone 15 to enable departments and agencies to develop various employee categories. The border may be a solid or patterned line.

FIPS201 section 4.1.4.3 Zone 16

AgencySpecificText2

Optional

String

Depends on print layout

Optional Items on the Front of the Card.

If other defined optional elements are not used, then Zone 17 may be used for other department or agency-specific information.

FIPS201 section 4.1.4.3 Zone 17

ColorCodeChar

Optional

String

1

Optional Items on the Front of the Card.

If used, then the affiliation color code “B” for Blue or “G” for Green shall be printed in a white circle in Zone 15.

SP800-104 section 2.3 Zone 18

ExpirationDateShort

Optional

String    

MMMYYYY

Deprecated

The ActivID CMS 4.1 plug-in converted the provided expiration date to the correct format for printing. See ExpirationDate.

SP800-104 section 2.3 Zone 19

OrgAffiliationAbbrev

Optional

String

Depends on print layout

Optional Items on the Front of the Card.

If used, then the organizational affiliation abbreviation shall be printed in the upper right hand corner below the date.    

SP800-104 section 2.3 Zone 20

MagStripe

Optional

Base64

Depends on print layout

Optional Items on the Back of the Card.

FIPS201 section 4.1.4.4 Zone 3

ReturnToAddress

Optional

String

Depends on print layout

Optional Items on the Back of the Card.

If used, then the “return if lost” language shall be placed on the back of the card.

If used, it must contain the following attributes:

• ReturnToAddress1: String – Mandatory. Line 1 of the "Return To:" address.

• ReturnToAddress2: String – Optional. Line 2 of the "Return To:" address.

• ReturnToAddress3: String – Optional. Line 3 of the "Return To:" address.

FIPS201 section 4.1.4.4 Zone 4

PhysicalCharacteristics

Optional

Complex

Depends on print layout

Optional Items on the Back of the Card. If defined, then must contain the following attributes:

• Height: String – Mandatory

• EyeColor: String – Mandatory

• HairColor: String – Mandatory

FIPS201 section 4.1.4.4 Zone 5

EmergencyResponderLanguage

Optional

String

Depends on print layout

Optional Items on the Back of the Card.

Departments and agencies may choose to provide additional information to identify emergency response officials or to better identify the cardholder’s authorized access.    

FIPS201 section 4.1.4.4 Zone 6

Section499

Optional

Boolean

Depends on print layout

Optional Items on the Back of the Card. If used, then standard Section 499, Title 18, language warning against counterfeiting, altering, or misusing the card shall be printed in Zone 7.

FIPS201 section 4.1.4.4 Zone 7

Section508

Optional

String

Depends on print layout

Optional Items on the Front of the Card. To meet 508 compliance. New in FIPS201-2.

FIPS201-2 section 4.1.4.4 Zone 21

Code39

Optional

String

Depends on print layout

Optional Items on the Back of the Card. If used, then a linear 3 of 9 bar code shall be generally printed.

It shall be in accordance with Association for Automatic Identification and Mobility (AIM) standards.

Beginning and end points of the bar code will be dependent on the embedded contactless module selected. Departments and agencies are encouraged to coordinate placement of the bar code with the card vendor.

FIPS201 section 4.1.4.4 Zone 8

AgencySpecificText3

Optional

String

Depends on print layout

Optional Items on the Back of the Card.

FIPS201 section 4.1.4.4 Zone 9

AgencySpecificText4

Optional

String

Depends on print layout

Optional Items on the Back of the Card.

FIPS201 section 4.1.4.4 Zone 10

ServiceBureauCardConfiguration

Optional

See comments

See comments

Documents the Service Bureau card configuration.

CardProfileId: Optional - String. Identifies the expected card profile for the card. The specification of this field should be agreed upon between the enrollment system and the Service Bureau.

PrintLayout: Optional – String. Identifies the expected card layout for the card. The specification of this field should be agreed upon between the enrollment system and the Service Bureau.

Extensions: Optional. Allows for extensions of card configuration data. A complimentary schema must be provided to meet validation requirements.

DeliveryPlaceInfo

Optional

See comments

See comments

Delivery place Information for the card.

If used, then the following attributes must be documented:

• DeliveryPlaceID: String – Mandatory. Identifier of Delivery place

• OrganizationName: String - Mandatory: Organization Name

• Address: String - Mandatory: Delivery address

• Address2: String - Optional: Alternate delivery address

• Address3: String - Optional: Alternate delivery address

• City: String – Mandatory

• ZipCode: String: Mandatory

• State: String: Mandatory

• Country: String: Mandatory

• MainContactPerson: Complex: Mandatory. The following attributes must be documented:

• PersonName: String – Mandatory.

• Tel1: String – Mandatory

• Tel2: String – Mandatory

• Fax: String – Mandatory

• Email: EmailOrUPN – Mandatory

• AltContactPerson: Complex – Optional. See MainContactPerson

• ShippingInstructions: String - Optional.  Contains any specific shipping instructions information.    

EmailAddress

Optional

EmailOrUPN

Email Pattern:

[^@]+@[^\.]+\..+

Optional email address. The PIV Enrollment plug-in and ActivID CMS must be configured accordingly.

UPN

Optional

EmailOrUPN

Email Pattern:

[^@]+@[^\.]+\..+

Optional UPN element. The PIV Enrollment plug-in and ActivID CMS must be configured accordingly.

CertificateExtension1 to CertificateExtension10

Optional

CertificateExtension

Up to 10 extensions can be defined

Allows for additional certificate extensions to be added to the CPR.

Each extension is defined as a CertificateExtension element type.

Each extension defines the following attributes:

• CertificateIdentifiers: List of String, mandatory.

• White space separated list of Identifiers of the certificates that will get the extensions:

• Authentication

• CardAuthentication

• Signature

• Encryption

The following parameters define the Certificate extension attributes according to X509 standard:

• OID: String, mandatory. ID of the extension to be added to the certificate request. It is in dot notation format (example: 1.3.6.1.4.1)

• Value: Base64, mandatory. Value of the extension in base64 format. ActivID CMS does not parse or interpret the value before adding it to the certificate request. It must be encoded according to the expected ASN.1 format before being sent to the CPR.

• Criticality: Boolean, mandatory. Defines whether or not the extension is critical.

RFC 3280 for certificate extension definition.

X.509 Certificate and Certificate Revocation List (CRL) Extensions Profile for the Shared Service Providers (SSP) Program, Section 7 for critical extension.

Extensions

Optional

Depends on complementary schema

Depends on complementary schema

Allows for non-PIV extension of the card personalization Refers generically to a card issuance, re-issuance, or update. data required for personalization and/or credentialing and within the scope of the registrar signature.

A complementary schema must be provided to meet validation requirements. 

FASCN

The FASCN is using the following sample values:

AGENCY CODE = 1341

SYSTEM CODE = 0001

CREDENTIAL# = 987654

CS = 1

ICI = 1

PERSON IDENTIFIER = 1234567890

OC= 1

OI=1341

POA=1

FASCN

The FASCN is using the following sample values according to PIV-I Specifications, it starts with 14 nines:

AGENCY CODE = 9999

SYSTEM CODE = 9999

CREDENTIAL# = 999999

CS = 0

ICI = 1

PERSON IDENTIFIER = 1112223333

OC= 1

OI= 1223

POA=2

Base 64:

1Oc52nOc7TnOc52DaFoQghCM5zmEEIyj/A==

Hex:

d4 e7 39 da 73 9c ed 39 ce 73 9d 83 68 5a 10 82 10 8c e7 39 84 10 8c a3 fc

UUID

The UUID is e8680700-929c-11e0-b569-0002a5d5c51b