IdenTrust Inc. Logo
Home | My Account | Contact Us  

BEFORE YOU BUY CERTIFICATE CENTER AFTER YOU BUY TRUSTID ACES ECA IGC
ECA FAQs

Certificates > ECA > ECA FAQs


1. How do I prove my citizenship?
2. Why do I have to prove my citizenship?
3. How many citizenships can I include in my application?
4. I do not have a passport, what can I do to prove my citizenship?
5. Where do I find a Trusted Correspondent?
6. Can I use a notary to comply with the in-person identity verification requirement?
7. Can I visit a US consul in-person to comply with the identity verification requirement?
8. I lost my encryption certificate, how do I get a copy from you?
9. I lost my token/smart card, what do I do?
10. I need to decrypt a terminated employee’s files, what do I do?
11. How do I configure Mozilla Firefox to be FIPS 140 compliant/validated?
12. What is a FIPS112-compliant password?
13. Should I protect my certificate with a password?
14. Which is better, a smart card or a USB token?
15. Where do I find The CP? The CPS? The Notary form? The ID form? Key Recovery form? Claim form?
16. How do I revoke my certificate?
17. How do I check the status of my application?

1. How do I prove my citizenship?
a. Within the ECA Program, an Applicant can prove his or her citizenship using a valid passport issued by the country of citizenship. You should bring the passport to the in-person identity verification appointment. Either the Trusted Correspondent, the Notary Public, the U.S. consul or an authorized IdenTrust employee will verify your citizenship using your passport.

2. Why do I have to prove my citizenship?
a. Citizenship will be used as part of the criteria for authorizing restricted access by the different Relying Parties to online applications. The ECA Program is governed by a Certificate Policy requiring that all applicants provide proof of their citizenship in order to be issued ECA certificates after July 1st 2007.

3. How many citizenships can I include in my application?
a. You can include multiple citizenships in your application. The citizenships you include will be used by IdenTrust to issue your certificate and Relying Parties will use the citizenship information within the certificate to establish your access to applications. IdenTrust has designed its registration processes to easily accept up to three citizenships. If you need to include more than three citizenships please contact the IdenTrust Registration Desk directly at 1-888-882-1104 or 801-924-8141 (from outside the U.S.).

4. I do not have a passport, what can I do to prove my citizenship?
a. The ECA program Certificate Policy (CP) and IdenTrust Certification Practice Statement (CPS) require that citizenship be proved based on a valid passport. If you are citizen of a country other than the United States and you do not have a passport, you are not eligible to obtain a certificate under the ECA Program. However, if you are citizen of the United States, you can also prove your citizenship based on the following documents
i. Certified birth certificate issued by the city, county, or state of birth, in accordance with applicable local law. A certified birth certificate has a registrar's raised, embossed, impressed or multicolored seal, registrar’s signature, and the date the certificate was filed with the registrar's office, which must be within 1 year of birth. A delayed birth certificate, filed more than one year after birth, is acceptable if it lists the documentation used to create it and is signed by the attending physician or midwife, or lists an affidavit signed by the parents, or shows early public records.
ii. Naturalization Certificate. A Naturalization Certificate is a document issued by the U.S. Citizenship and Immigration Service (USCIS) since October 1, 1991, and the Federal Courts or certain State Courts on or before September 30, 1991, as proof of a person obtaining U.S. citizenship through naturalization.
iii. Certificate of Citizenship. A Certificate of Citizenship is a document issued by the U.S. Citizenship and Immigration Service (USCIS) as proof of a person having obtained U.S. citizenship through derivation or acquisition at birth (when born outside of the United States).
iv. FS-240 - Consular Report
v. DS-1350 - Certification of Report of Birth

5. Where do I find a Trusted Correspondent?
a. Your Organization might have a Trusted Correspondent and the person who requested that you obtain an ECA Program certificate will know the contact information for that person. If you do not have the means to obtain this information, contact IdenTrust for further details at 1-888-882-1104. Additionally, IdenTrust has made available Trusted Correspondents in a few cities in the U.S. including: Decatur (AL), Miami (FL), Rockville (VA/MD/DC), and San Francisco (CA). You can contact IdenTrust to set up an appointment.

6. Can I use a notary to comply with the in-person identity verification requirement?
a. Yes, you can use a Notary Public to comply with the in-person verification requirement. However, verification by a Notary is valid ONLY for Medium Assurance certificates. If you need to obtain a Medium Hardware Assurance certificate, you must contact a Trusted Correspondent within your organization or an IdenTrust Registrar (RA Operator or Trusted Correspondent).

7. Can I visit a US consul in-person to comply with the identity verification requirement?
a. Yes, the ECA Certificate Policy specifies three categories of applicants: U.S. Citizens, citizens of Australia, Canada, New Zealand, or the United Kingdom, and citizens of other countries. U.S. Citizens can appear at any US consulate office for in-person identity verification. Citizens of one of the countries above may visit a US consulate in any of the four countries. If you are not in the U.S and are not a citizen of any of those four countries, you should contact a Department of Defense (DOD) country representative for more information. Please be aware that U.S consuls only provide authentication that enables you to obtain a Medium Assurance certificate.

Back to top

8. I lost my encryption certificate, how do I get a copy from you?
a. You need to contact a Key Recovery Officer (KRO) within your organization to initiate a Key Recovery Request. He or she will assist you in filling out the appropriate form. After the form is submitted to IdenTrust and is approved, you will receive a copy of your recovered key in the mail. If your organization does not have a KRO, you can contact specific individuals within your organization who can submit a request on behalf of the organization to IdenTrust. Those individuals are mentioned in the Subscribing Organization Authorization Agreement. Contact your supervisor or your HR department to find out who can request key recoveries from IdenTrust Alternatively, IdenTrust provides KRO services in selected cities including: Decatur (AL), Miami (FL), Rockville (VA/MD/DC), and San Francisco (CA). You can contact IdenTrust to set up an appointment.

9. I lost my token/smart card, what do I do?
a. The first step is to revoke your certificate to prevent anyone else from using it. Please be aware that a revoked certificate is unusable. To see what to do for revocation click here.

The next step depends on whether you have a backup copy of your encryption private key and if you have received encrypted data or email with it. If you have not used the encryption certificate to receive encrypted data or email, you do not need to recover the encryption key. If you have encrypted data and have no backup copy of your key, see the answer to question 11: How do I get a copy of my encryption certificate?.

If you need an ECA certificate for your daily functions, you will need to obtain a new certificate.

10. I need to decrypt a terminated employee’s files, what do I do?
a. You will need the encryption private key and certificate that was originally used to encrypt the data. If you do not have a copy of the private key, you can request a key recovery from IdenTrust by using the services of an internal KRO. If your organization does not have a KRO, you can request key recovery directly from IdenTrust if you have the authority to do so. Please review the Subscribing Organization Authorization Agreement to find out who has authority to request key recovery.

11. How do I configure Mozilla Firefox to be FIPS 140 compliant/validated?
a. These instructions are provided for Mozilla FireFox version 2.0 or higher. Lower versions follow the same pattern. You can make your Mozilla FireFox browser compliant with FIPS 140 by going to the "Tools" menu, then selecting "Options" and the "Advance" tab. There select the "Encryption" tab and click on "Security Devices." The browser will open a "Device Manager" screen that has an "Enable FIPS" button, click on it and then "OK". The button will change to "Disable FIPS." Your browser is now FIPS compliant. You can now download your ECA certificates.

12. What is a FIPS112-compliant password?
a. A FIPS 112-compliant password requires the following characteristics:
i. Composition: Password should contain both upper and lower case characters (e.g., a-z, A-Z) and have digits and punctuation characters as well as letters. Example: 0-9, !@#$%^&*()_+|~-=\‘{}[]:";’<>?,./)
ii. Length: The minimum length is 8 characters. Longer passwords will provide stronger security. Passwords are more easily remembered as a passphrase. Example: Don’tUseMyExactExample2
iii. Lifetime: The maximum life is 1 year and a change is recommended every three months where practical. "Passwords shall be replaced as quickly as possible, but at least within l working day from the time that a compromise of the password is suspected or confirmed"
iv. Source: Users should not select a password that can be found in a dictionary or name list
v. Ownership: Passwords should not be shared
vi. Distribution: Passwords should not be shared in email
vii. Storage: Passwords should not be stored insecurely
viii. Entry: Passwords should be entered in a way that others cannot observe entry
ix. Transmission: Passwords should never be transmitted in clear text
x. Authentication Period: Users are recommended to lock their screen when leaving their area and to have an inactivity, auto-lock, password-protected screensaver set to protect unauthorized use of their token and system

13. Should I protect my certificate with a password?
a. Yes, your certificate is stored along with the private key in your cryptographic module: your browser, your smart card or USB token. According the ECA Certificate Policy and the Subscriber Agreement you accepted, it is your obligation to protect the private key with reasonable security, including a password. The password should be FIPS 112 compliant. See question "What is a FIPS112-compliant password?" for additional information.

14. Which is better, a smart card or a USB token?
a. IdenTrust has selected smart card and USB devices that are FIPS 140 level 2 that comply with the security requirements outlined in the ECA Certificate Policy. Both devices provide 32Kbytes of memory that exceed your storage needs for ECA certificates. Both devices are comparable and you can use either one without any concerns. To make your final decision, you should consider other factors such as portability and your level of comfort using either technology.

15. Where do I find The CP? The CPS? The Notary form? The ID form? Key Recovery form? Claim form?
a. You can find all the forms to do business within the IdenTrust ECA PKI in the following location: https://secure.identrust.com/certificates/policy/eca/

Back to top

16. How do I revoke my certificate?
a. The process varies depending on who you are. If you are:
i. The Subscriber and have still have access to the certificate, contact IdenTrust’s Help Desk HelpDesk@identrust.com or your Trusted Correspondent a signed email requesting the revocation of your certificate. You should also call IdenTrust customer support to confirm the revocation. If you do not have access to the certificate, contact your Trusted Correspondent. After verifying your identity, he or she will submit a request to IdenTrust.
ii. If you are an Authorized Officer in the Subscribing Organization and are trying to revoke a certificate from someone different than you. Submit the request to your internal Trusted Correspondent via a signed email or visit him or her in-person. After identity and authority verification, the Trusted Correspondent will submit the request to IdenTrust. You can also submit the request directly to IdenTrust via a signed email. You should also call IdenTrust customer support to confirm revocation. IdenTrust will verify you are authorized to request revocations on behalf of your organization and continue with the revocation.
Back to top



ECA INQUIRIES
888.882.1104
Helpdesk@IdenTrust.com
ECAsales@IdenTrust.com
M-F, 6am-6pm MST

DODI Video

ECA CERTIFICATE PRICING

HOW TO BUY
ECA Medium Assurance
ECA Medium Assurance Foreign Country
ECA Medium Token Assurance Foreign Country
ECA Medium Token
ECA Medium Hardware Assurance
ECA Medium Device Assurance SSL/TLS
ECA Foreign Countries Supported

LIST OF GOVT AGENCIES

AFTER YOU BUY
ECA Application Enablement FAQ
Request Key Recovery
Revoke Certificate
Root Certificate Downloads

RELATED CONTENT
BUY ECA
Instructions for Applicant
Locations for IdenTrust Identity Verification
ECA Identity Verification
ECA Medium Assurance Token Assurance forms instruction
ECA Medium Hardware forms instruction
ECA Foreign Subscribers forms instruction
Accepted IDs for ECA
ECA Forms and Policies
ECA FAQs
Security of Unclassified DoD Information on Non-DoD Information Systems
Who can sign the Part 2 form

OTHER
ECA Digital Certificates
ECA Trusted Correspondent Program
How To Become a Trusted Correspondent
IdenTrust, Inc. BBB Business Review WebTrust WebTrust Baseline EHNAC EHNAC GSA Schedule SOC We self-certify compliance with

© IdenTrust, Inc. All Rights Reserved.    Home | Contact Us | Legal Policies Follow us: Follow IdenTrust on Twitter