Does the PIV Sponsor, Registrar, PIV Card Approval and the PIV issuer have to be all different people or can one person have multiple roles?
A two-way separation of roles is the absolute minimum that could possibly meet the FIPS 201 test. In practice, however, it would be challenging to define two roles such that each provides a reliable cross-check on all critical actions of the other. Special Publication 800-79 recommends “the roles of Applicant, Sponsor, Registrar, and PCI [PIV Card Issuer] must be played by different people when issuing a PIV Card.” Such a three-way separation of roles can generally be sufficient to insure that the test of FIPS 201 is met, namely, “a single corrupt official in the process may not issue a credential with an incorrect identity or to a person not entitled to the credential.” However, the requirement for a particular separation of roles depends on the implementation of the PIV issuance system.
Related Questions
- Can people use different methods to sign the same document with Approve-It? For example, one person signs on a desktop, and a second person signs the document over the web?
- Does the PIV Sponsor, Registrar, PIV Card Approval and the PIV issuer have to be all different people or can one person have multiple roles?
- Can different people in my organisation get access to Shell Card Online?
