3.6 PIV card termination
The following processes apply to revoking an issued PIV card:
-
Canceling (revoking) a PIV card that is present.
-
Remotely canceling a PIV card that is not present.
-
Erasing a PIV card that has been remotely canceled.
-
Changing the disposal status of a card.
3.6.1 Canceling (revoking) a PIV card that is present
The Erase Card workflow is used to revoke and erase a smart card that is in the possession of the operator; the Erasing a device section in the MyID Operator Client guide.
This operation:
-
Disassociates the card from the user account (the cardholder).
-
Using the revocation reason selected, revokes the certificates on the PKI.
The following reasons immediately revoke the certificates: Lost, Stolen, Damaged, Revocation (Other).
-
Resets the content of the PIV applet.
-
Deletes all private keys on the card.
-
Cancels all jobs in MyID associated with the card serial number.
-
Resets the Global Platform and PIV 9B keysets to factory values.
-
Optionally allows the disposal status of a card to be set, preventing reuse of the card.
3.6.2 Remotely canceling a PIV card that is not present
You can remotely cancel a card in the following ways:
-
Using the MyID Core API.
-
Using the Cancel Credential workflow; the Canceling a device section in the MyID Operator Client guide.
-
Disabling the group to which the user account belongs.
-
Disabling the user account.
-
Directory synchronization.
-
Remove person.
In each of these operations, a revocation reason is supplied that determines the PKI actions that are taken. The revocation reasons perform the same actions as canceling a PIV card that is present. No change is made to the data on the card.
3.6.3 Erasing a PIV card that has been remotely canceled
When a card has been remotely canceled, it retains the electronic data held on the card. It is best practice to erase the card once it has been returned to a MyID operator.
Use the Erase Card workflow to erase the card; the Erasing a device section in the MyID Operator Client guide.
This workflow carries out the following:
-
Resets the content of the PIV applet.
-
Deletes all private keys on the card.
-
Cancels all jobs in MyID associated with the card serial number.
-
Resets the Global Platform and PIV 9B keysets to factory values.
3.6.4 Notifications to other systems
FIPS 201-3 requires that any databases maintained by the PIV card issuer that indicate current valid (or invalid) FASC-N or UUID values must be updated to reflect the change in status.
You can configure MyID to send notification messages containing information about card cancellations. For more information on notifications, contact customer support quoting reference SUP-222.
3.6.5 Changing the disposal status of a card
The disposal status of a canceled PIV card can be recorded in the MyID audit trail. This ensures that the card cannot be re-issued. You can use the Card Disposal workflow to set the disposal status. For information, see the Disposing of a device section in the MyID Operator Client guide.