Identity Proofing - Credential Policy, v3.0
Requirements for publishing a credential policy.
Assessment Steps (4)
|
1
Publish Policy (PublishPolicy)
Does the CSP publish a Credential Policy (CrP) and make it available to the community covering the intended applicants?
Artifact
Documentation
Provide policy indicating conformance to the requirement.
|
|
2
Policy covers Proofing (PolicycoversProofing)
Does the CPSs Credential Policy (CrP) document it's identity proofing and enrollment policies?
Artifact
Documentation
Provide policy indicating conformance to the requirement.
|
|
3
Sources (Sources)
Does the CSPs Credential Policy (CrP) state which issuing and authoritative sources are used for each type of identity proofing offered?
Artifact
Documentation
Provide policy indicating conformance to the requirement.
|
|
4
Limitations or requirements (Limitationsorrequirements)
Does the CSPs Credential Policy (CrP) state all elgibility requirements and limibations it applies to applicants?
Artifact
Documentation
Provide policy indicating conformance to the requirement.
|
Conformance Criteria (4)
|
Publish Policy
The CSP SHALL publish a Credential Policy (CrP) such that it is available to members of the intended Applicant / Service Consumer community before they are required to commit to signing-up to being a subject of the policy.
Citation
SP800-63A
Section 4.2 P6
|
|
Policy covers Proofing
The CrP must document its identity proofing and enrollment policy/ies.
Citation
SP800-63A
Section 4.2 P6
|
|
Sources
The CrP must state which issuing and authoritative sources are used to prove identities for each type of identity proofing offered.
Citation
SP800-63A
Section 4.2 P6
|
|
Limitations or requirements
The CrP must state any eligibility requirements or limitations which it applies to the scope of Applicants to its identity proofing service, subject to such limitations not breaching the restriction placed on it by suitability requirements.
Citation
SP800-63A
Section 4.2 P6
|