Picture of PII information of a made up person on a screen

Certificate Authority & Identity Assurance

December 16, 2024 • Wesley Lutz
Identity Proofing
 | 
Assurance Levels
 | 
Basic Assurance
 | 
Medium Assurance

Introduction

Recently, I have been fielding questions from our partners regarding the IdenTrust identity proofing and the respective assurance levels provided by a Certificate Authority (CA). As a CA, we are obligated to make our Certificate Policy (CP) and Certificate Practice Statement (CPS) publicly available. Since the CP/CPS can be lengthy, I will focus on summarizing identity proofing.

Identity Proofing: Basic vs. Medium Assurance

Here, I will discuss Basic Assurance and Medium Assurance provided with our IdenTrust Global Common (IGC) and External Certification Authority (ECA) certificates, and the related identity proofing differences.

Basic Assurance

For IGC Basic Assurance certificates, we utilize third-party data aggregators to validate applicant-provided data via our secure website. This includes, but is not limited to, validating date of birth, SSAN, government-issued photo IDs, and addresses.

Medium Assurance

IGC Medium Assurance certificates take identity proofing a step further by requiring in-person verification of an applicant’s identity documentation for authenticity, directly compared to the applicant’s person. This may be completed by a commissioned notary, authorized within the applicant’s state of residence.

ECA Medium Assurance Sub-Levels

The medium assurance requirements for the IdenTrust ECA certificates have two sub-levels of assurance: Medium Assurance/Medium Assurance Token and Medium Assurance Hardware. The software/token level identity proofing is similar to the IGC Medium Assurance in that an in-person verification with a notary is required. However, with the hardware level, identity verification must be conducted by a Trusted Agent, a person approved by IdenTrust.

Understanding Assurance Levels

Assurance Level refers to the strength and security of the authentication and the level of confidence the system has, depending on the type of credentials used, the number of authentication factors required, and the strength of the cryptographic transactions. Essentially, the higher the assurance level of a digital certificate, the higher the level of trust provided to the holder or system.

Within the IGC CP/CPS, there are Basic and Medium Assurance certificates that may be issued to successful applicants of persons or non-human devices. Within the ECA CP/CPS, we provide DoD-related persons or non-human devices Medium Assurance certificates.

 Basic Assurance
IdenTrust Global Common (IGC)Medium Assurance
IdenTrust Global Common (IGC)Medium Assurance (Token)
External Certification Authority (ECA)Medium Assurance (Hardware)
External Certification Authority (ECA)Identity Proofing MethodThird-party data validation via secure website.In-person identity verification by a commissioned notary.In-person identity verification by a commissioned notary.In-person identity verification conducted by a Trusted Agent (approved by IdenTrust).Verification of DocumentsValidates applicant-provided data, including date of birth, government-issued photo ID, and address.Verifies authenticity of documents by physical inspection.Verifies authenticity of documents by physical inspection.Verifies authenticity of documents with enhanced scrutiny by a Trusted Agent.Comparison to ApplicantNo physical comparison to the applicant.Physical comparison of documents to the applicant.Physical comparison of documents to the applicant.Physical comparison of documents to the applicant with additional oversight by the Trusted Agent.Level of TrustBasic level of confidence.Medium level of confidence.Medium level of confidence.High-medium level of confidence due to Trusted Agent oversight.Use Case ExamplesBasic-level trust required for personal or low-risk transactions.Suitable for business applications requiring moderate trust in identity.Suitable for DoD-related applications where medium-level trust is required.Ideal for high-security DoD-related applications or scenarios requiring greater scrutiny and assurance.

Comparing CA and CSP Identity Proofing

The identity proofing requirements for a CA regarding Basic and Medium Assurance certificates should not be confused with those of a credential service provider (CSP), particularly IAL2 or IAL3 standards within NIST Special Publication 800-63-2. For example, IAL2 (Identity Assurance Level 2) requires either in-person or remote verification, with remote verification being via a video call with facial recognition software employed to validate against scanned or electronically captured identification documents.

Conclusion

If you, as a person, or your organization’s business requirements call for IAL2 identity proofing, consider the appropriate IdenTrust IGC or ECA Medium Assurance certificates, as they would comparatively exceed the IAL2 standard.

 

Feel free to reach out if you have any questions or need further clarification on any of these points!