Posts tagged "PIV-I"

Digital Signatures with PIV and PIV-I Credentials

In response to Homeland Security Presidential Directive (HSPD) 12, NIST created a program for improving the identification and authentication of Federal employees and contractors to Federal facilities and information systems.  This program is Federal Information Processing Standard (FIPS) 201, entitled Personal Identity Verification (PIV) of Federal Employees and Contractors, which as of September 2011 had issued over 5 million credentials.  PIV-I expands the interoperable secure PKI credentialing to Non-Federal Issuers (NFI) so that other organizations seeking identity federation can include their own employees.  Currently approved PIV-I providers include DigiCert, Entrust, Operational Research Consultants, VeriSign/Symantec, and Verizon Business.  The CertiPath bridge also supports PIV-I credential providers such as Citi and HID.

If you have a PIV or PIV-I card, and are interested in digitally signing documents for consent/approval signatures or certified publishing – Adobe Acrobat and Adobe Reader will automatically validate digital signatures via US Federal Common Policy.  Through the Adobe Approved Trust List  (AATL) program, the following trust anchors are included in version 9 and higher:

  • Common Policy — 2010 expiry — Common Hardware, Common High, Medium HW CBP
  • Common Policy — 2027 expiry — Common Hardware, Common High, Medium HW CBP
  • Federal Common Policy CA — 2030 expiry — Common Hardware, Common High, Medium HW CBP, SHA1 Hardware
To have the digital signature automatically validate for any recipient, whether or not they have a PIV/PIV-I credential, the signer’s system must build a complete certificate chain for path validation to reach one of the supported trust anchors.  If the signer’s system only has the signer’s certificate – it will not validate for anyone else automatically.  A recommendation to make this easier is for all of the issuing certificate authority public key certificates to be stored on the smartcard and available to the OS+applications.  That way the card can be truly portable and sign documents on any system.  Otherwise, the system administrator will need to ensure all of the certificates are otherwise installed into the OS and available to Adobe Acrobat/Reader.
As an example, below is an overview of configuring digital signatures with the HID PIV-I service.
After the customer application is approved and credentials are being issued, the user will need to install the chain of certificates on their signing systems.  The certificates required are:
  1. HIDSigningCA1
  2. HIDRootCA1
  3. Federal Bridge CA
  4. CertiPath Bridge CA – G2

There are several ways these certificates can be installed.  The easiest is to open the attached file HID_PIV-I_AdobeConfiguration.pdf, which provides a simplified installation experience into Adobe Acrobat and Adobe Reader.  You can also download the FDF directly here:  HID-PIV-I-Certs-AdobeReader.fdf

Now you can sign a PDF file and it will automatically validate for anyone with Acrobat or Reader version 9.1 or higher.

Sample HID PIV-I Signature document digitally signed with a production HID PIV-I card looks like this:

Here is the path that the digital signature follows for validation: