Notifications from an external PIV card issuer

3.4 Notifications from an external PIV card issuer

Lifecycle events that take place against the PIV card used during the request must affect the status of the issued derived credential.

SP800-157 states the following:

2.3.4 – The Derived PIV Authentication certificate shall be revoked or the token containing the corresponding private key shall be either zeroed or destroyed when the binding between the Subscriber and the token containing the private key corresponding to the certificate is no longer considered valid or when the Subscriber no longer requires a DPC.
2.3.5 – Specific circumstances that would invoke 2.3.4 are:
- The device is transferred to another individual
- The issuing agency decides that the subscriber is no longer eligible for a PIV card
- The issuing agency decides that the subscriber no longer requires a DPC

A trusted system can notify MyID of changes to the PIV card status, causing a corresponding action to occur against the issued derived credential.

3.4.1 PIV card cessation of trust

Where the PIV Card used during request is no longer trusted; for example:

The PIV Card issuing agency decides that the subscriber is no longer eligible for a PIV card.
The PIV Card issuing agency decides that the subscriber no longer requires a DPC.

MyID can be notified, causing revocation of all derived credentials that have been issued following a request process that used the identified PIV Card. The PIV Card is identified using either the card FASCN or UUID values.

3.4.2 PIV card transfer of trust

If the PIV Card used during request is replaced, the issued derived credentials must be updated to allow them to be associated to the replacement PIV card.

When MyID receives this notification, it will update the associated PIV card details, allowing future changes to the status of the PIV Card to affect the derived credentials.

3.4.3 PIV card change of details

Where details of the PIV Card holder are changed (specifically, changes to the distinguished name or email address) the trusted system may inform MyID. This will cause a rekey to be triggered for all issued derived credentials – see section 3.5.2, Certificate renewal (Rekey) for DPCs.