Managing DPCs issued by MyID

3.5 Managing DPCs issued by MyID

3.5.1 Reissuing DPCs in MyID

As with any credential type, there are occasionally situations where it must be re-issued. For example, replacing missing or damaged devices.

As a credential management system, MyID has several methods of requesting replacement or re-issuance of credentials.

To remain compliant with procedures for SP800-157, it is recommended that the request process is repeated in these situations.

3.5.2 Certificate renewal (Rekey) for DPCs

If the DPC is still present, and has not yet expired or been revoked, MyID can automate a certificate renewal process. At a configurable period before the DPC expires (28 days by default) a certificate renewal request is generated, which when collected on the device will replace the expiring certificates.

This feature makes certificate management more convenient for end users, as they do not need to repeat the derived credential request process. It is important that an external system can notify MyID of changes to the status of the originating PIV Card to ensure the DPC remains valid (see section 3.4, Notifications from an external PIV card issuer).

3.5.3 Updating DPCs

MyID can manage updates to the content of issued derived PIV credentials, to add or remove certificates – for example replacing a legacy certificate policy with an updated version or providing additional certificates. Where encryption certificates are issued as part of DPC, additional certificates (such as those shared between the user's devices, to decrypt S/MIME messages) may be synchronized on the device.

3.5.4 Revoking DPCs

In addition to using the PIV Card status to control revocation of the DPC (see section 3.4, Notifications from an external PIV card issuer) MyID can revoke DPCs by the following methods:

Direct revocation by a MyID operator, using the user interface.
Revocation requested by an external system, using the web service API.
Automatic revocation based on MyID policy; for example, permitted number of credentials per user.

The certificate authority used to issue the derived credential certificates must publish its Certificate Revocation List, or make available OCSP capability for other systems to access.

3.5.5 Erasing DPCs

MyID can directly erase virtual smart cards on Windows computers, to remove the credential completely. This can take place as an administrative operation, or automatically when collecting a replacement VSC.

The capability to remove certificates from mobile devices may depend on how the key is stored. For example, when using the native key store, or a store controlled by a mobile device management system, the keys may need to be removed by other processes not controlled by MyID.

3.5.6 Auditing

MyID records all credential request, issuance, and management operations in its signed audit trail. This captures the main lifecycle events, along with detailed information such as when it occurred, which person or system was authenticated to perform the operation and result of the event.

This information is cryptographically signed, and can be exported for permanent record keeping.