Appendix C. Glossary of Terms, Acronyms, and Notations
This appendix is informative. It describes the vocabulary and textual representations used in the document.
C.1 Glossary of Terms
The following terms are used throughout this Standard.
- Access Control
- The process of granting or denying specific requests to 1) obtain and use information and
related information processing services and 2) enter specific physical facilities (e.g., federal buildings,
military establishments, border crossing entrances).
- Adjudicative Entity
- An agency authorized by law, Executive Order, designation by the Security Executive Agent, or delegation by the Suitability & Credentialing Executive Agent to make an adjudication. Adjudication has the meaning provided in [Executive Order 13764], “(a) ‘Adjudication’ means the evaluation of pertinent data in a background investigation, as well as any other available information that is relevant and reliable, to determine whether a covered individual is: (i) suitable for Government employment; (ii) eligible for logical and physical access; (iii) eligible for access to classified information; (iv) eligible to hold a sensitive position; or (v) fit to perform work for or on behalf of the Government as a Federal employee, contractor, or non-appropriated fund employee.”
- Applicant
- An individual applying for a PIV Card or derived PIV credential. The applicant may be a current or
prospective federal hire, a federal employee, or a contractor.
- Application
- A hardware/software system implemented to satisfy a particular set of requirements. In
this context, an application incorporates a system used to satisfy a subset of requirements related to the
verification or identification of an end user’s identity so that the end user’s identifier can be used to
facilitate the end user’s interaction with the system.
- Architecture
- A highly structured specification of an acceptable approach within a framework for
solving a specific problem. An architecture contains descriptions of all the components of a selected,
acceptable solution while allowing certain details of specific components to be variable to satisfy related
constraints (e.g., costs, local environment, user acceptability).
- Assertion
- A verifiable statement from an IdP to an RP that contains information about an end user.
Assertions may also contain information about the end user’s authentication event at the IdP.
- Asymmetric Keys
- Two related keys—a public key and a private key—that are used to perform
complementary operations, such as encryption and decryption or signature generation and signature
verification.
- Authentication
- The process of establishing confidence of authenticity; in this case, the validity of a
person’s identity and an authenticator (e.g., PIV Card or derived PIV credential).
- Authenticator
- Something the cardholder possesses and controls (e.g., PIV Card or derived PIV credential) that is used to authenticate the cardholder’s identity.
- Authenticator Assurance Level (AAL)
- A measure of the strength of an authentication mechanism and, therefore, the confidence in it, as
defined in [SP 800-63] in terms of three levels:
- AAL1
- Some confidence
- AAL2
- High confidence
- AAL3
- Very high confidence
- Biometric Authentication (BIO, BIO-A)
- A form of authentication in which authenticity is established by biometric
verification of a new biometric sample from a cardholder to a biometric data
record read from the cardholder’s activated PIV Card. In BIO, the biometric
sample may be captured from the cardholder in isolation, while in BIO-A, an
attendant must oversee the process of biometric capture.
- Biometric Capture Device
- Device that collects a signal from a biometric characteristic and converts it
to a captured biometric sample. SOURCE: [ISO 2382-37]
- Biometric Characteristic
- Biological attribute of an individual from which
distinctive and repeatable values can be extracted for the purpose
of automated recognition. Fingerprint ridge structure and face topography are
examples of biometric characteristics. SOURCE: [ISO 2382-37, adapted]
- Biometric Data
- Biometric sample or aggregation of biometric samples at any stage of
processing. SOURCE: [ISO 2382-37]
- Biometric Data Record
- Electronic data record containing biometric data.
This information
can be in terms of raw or compressed pixels or in terms of some biometric characteristic (e.g., patterns). SOURCE: [ISO 2382-37, adapted]
- Biometric On-Card Comparison (OCC)
- A one-to-one comparison of fingerprint biometric data records transmitted to the PIV Card with a biometric reference
previously stored on the PIV Card. In this Standard, OCC is used as a means of performing card activation and as part of Biometric On-Card Comparison Authentication (OCC-AUTH).
- Biometric On-Card Comparison Authentication (OCC-AUTH)
- An authentication mechanism where biometric on-card comparison (OCC) is used instead of a PIN to activate a PIV Card for authentication.
- Biometric Verification
- Automated process of confirming a biometric claim through biometric comparison. SOURCE: [ISO 2382-37, adapted]
- Biometric Verification Decision
- A determination of whether biometric probe(s) and biometric reference(s) have
the same biometric source based on comparison score(s) during a biometric verification
transaction. SOURCE: [ISO 2382-37, adapted]
- Capture
- Series of actions undertaken to obtain and record, in a retrievable form, signals of biometric characteristics directly from individuals. SOURCE: [ISO 2382-37, adapted]
- Cardholder
- An individual who possesses an issued PIV Card.
- Card Management System
- The system that manages the lifecycle of a PIV Card
application.
- Card Verifiable Certificate
- A certificate stored on the PIV Card that includes a public key, the signature of a certification authority, and further information needed to verify the certificate.
- Central Verification System
- A system operated by the Office of Personnel Management that contains information on security clearances, investigations, suitability, fitness determinations, [HSPD-12] decisions, PIV credentials, and polygraph data.
- Certificate Revocation List
- A list of revoked public key certificates created and digitally signed by a
certification authority. SOURCES: [RFC 5280, adapted] [RFC 6818, adapted]
- Certification
- The process of verifying the correctness of a statement or claim and issuing a certificate as
to its correctness.
- Certification Authority
- A trusted entity that issues and revokes public key certificates.
- Chain of trust
- An interoperable data format for PIV enrollment records that facilitates the import and export of records
between PIV Card issuers.
- Comparison
- Estimation, calculation, or measurement of similarity or dissimilarity between biometric probe(s) and biometric reference(s). See also Identification. SOURCE: [ISO 2382-37]
- Component
- An element of a large system—such as an identity card, issuer, card reader, or identity
verification support—within the PIV system.
- Conformance Testing
- A process established by NIST within its responsibilities of developing,
promulgating, and supporting a FIPS for testing specific characteristics of components, products,
services, people, and organizations for compliance with the FIPS.
- Credential
- Evidence attesting to one’s right to credit or authority. In this Standard, it is the PIV Card
or derived PIV credential associated with an individual that authoritatively binds an identity (and, optionally,
additional attributes) to that individual.
- Cryptographic Key (Key)
- A parameter used in conjunction with a cryptographic algorithm that
determines the specific operation of that algorithm.
- Derived PIV Credential
- A credential issued based on proof of possession and control of a PIV Card. Derived PIV credentials are typically used
in situations that do not easily accommodate a PIV Card, such as in conjunction with mobile devices.
- Enrollment
- See Identity Registration.
- Enrollment Data Set
- A record that includes information about a biometric enrollment (i.e., name and role of
the acquiring agent, office and organization, time, place, and acquisition method).
- Federal Agency Smart Credential Number (FASC-N)
- One of the primary
identifiers on the PIV Card for physical access control, as required by FIPS 201. The FASC-N is a fixed length (25 byte) data
object that is specified in [SP 800-73] and included in several data objects on a PIV Card.
- Federal Information Processing Standards (FIPS)
- A standard for adoption and use by federal
departments and agencies that has been developed within the Information Technology Laboratory and
published by NIST, a part of the U.S. Department of Commerce. A FIPS covers some topic in
information technology to achieve a common level of quality or some level of interoperability.
- Federation
- A process that allows for the conveyance of identity and authentication information across a set of networked systems.
- Federation Assurance Level (FAL)
- A category that describes the federation protocol used to communicate an assertion containing authentication and attribute
information (if applicable) to an RP, as
defined in [SP 800-63] in terms of three levels:
- FAL1
- Some confidence
- FAL2
- High confidence
- FAL3
- Very high confidence
- Identification
- The process of discovering the identity (i.e., origin or initial history) of a person or item
from the entire collection of similar persons or items.
- Identifier
- Unique data used to represent a person’s identity and associated attributes. A name or a card
number are examples of identifiers.
- Identity
- The set of physical and behavioral characteristics by which an individual is uniquely
recognizable.
- Identity Assurance Level (IAL)
- A category that conveys the degree of confidence that a person’s claimed identity is their real identity, as
defined in [SP 800-63] in terms of three levels:
- IAL1
- Some confidence
- IAL2
- High confidence
- IAL3
- Very high confidence
- Identity Proofing
- The process of providing sufficient information (e.g., identity history, credentials,
documents) to establish an identity.
- Identity Management System (IDMS)
- One or more systems
or applications that manage the identity proofing, registration, and issuance processes.
- Identity Registration
- The process of making a person’s identity known to the PIV system, associating a
unique identifier with that identity, and collecting and recording the person’s relevant attributes into the
system. In some other NIST documents, such as [SP 800-63A], identity registration is referred to as enrollment.
- Identity Verification
- The process of confirming or denying that a claimed identity is correct by
comparing the credentials of a person
requesting access with those previously proven and associated with the PIV Card or a derived PIV credential associated with
the identity being claimed.
- Invalidate
- To render a credential or authenticator incapable of being used for authentication by causing its authenticator output to no longer be accepted by relying parties.
- Issuer
- The organization that is issuing the PIV Card to an applicant. Typically, this is an organization
for which the applicant is working.
- Issuing Facility
- A physical site or location—including all equipment, staff, and
documentation—that is responsible for carrying out one or more of the
following PIV functions:
- identity proofing and registration;
- card and token production;
- activation and issuance;
- post-issuance binding of derived PIV credentials; and
- maintenance.
- Key
- See Cryptographic Key.
- Match
- Comparison decision stating that the biometric probe(s) and the biometric
reference are from the same source. Match is a possible result of a
Comparison. The opposite of a match is a non-match. SOURCE: [ISO 2382-37, adapted]
- Model
- A detailed description or scaled representation of one component of a larger system that can
be created, operated, and analyzed to predict actual operational characteristics of the final produced
component.
- Off-Card
- Refers to data that is not stored within the PIV Card or to a computation that is not performed
by the integrated circuit chip (ICC) of the PIV Card.
- On-Card
- Refers to data that is stored within the PIV Card or to a computation that is performed by the
integrated circuit chip (ICC) of the PIV Card.
- Online Certificate Status Protocol (OCSP)
- An online protocol used to determine the status of a public
key certificate. SOURCE: [RFC 6960, adapted]
- Path Validation
- The process of verifying the binding between the subject identifier and subject public
key in a certificate, based on the public key of a trust anchor, through the validation of a chain of
certificates that begins with a certificate issued by the trust anchor and ends with the target certificate.
Successful path validation provides strong evidence that the information in the target certificate is
trustworthy.
- Personally Identifiable Information (PII)
- Information that can be used to distinguish or trace an
individual’s identity—such as name, social security number, biometric data records—either alone or when
combined with other personal or identifying information that is linked or linkable to a specific individual
(e.g., date and place of birth, mother’s maiden name, etc.). SOURCE: [M-17-12, adapted]
- Personal Identification Number (PIN)
- A numeric secret that a cardholder memorizes and uses as part of authenticating
their identity.
- Personal Identity Verification (PIV) Identity Account
- The logical record containing credentialing information for a given PIV cardholder. This is stored within the issuer’s identity management system and includes PIV enrollment data, cardholder identity attributes, and information regarding the cardholder’s PIV Card and any derived PIV credentials bound to the account.
- Personal Identity Verification (PIV) Card
- A physical artifact (e.g., identity card, “smart” card) issued
to an individual that contains a PIV Card application that stores identity credentials (e.g., photograph,
cryptographic keys, digitized fingerprint representation) so that the claimed identity of the cardholder can
be verified against the stored credentials.
- PIV Credential
- A credential that authoritatively binds an identity (and, optionally, additional attributes) to the authenticated cardholder that is issued, managed, and used in accordance with the PIV standards. These credentials include public key certificates stored on a PIV Card as well as other authenticators bound to a PIV identity account as derived PIV credentials.
- PIV Enrollment Record
- A sequence of related enrollment data sets that is created and
maintained by PIV Card issuers. The PIV enrollment record typically contains data collected
at each step of the PIV identity proofing, registration, and issuance processes.
- PIV Visual Credential Authentication (VIS)
- An authentication mechanism where a human guard inspects the PIV Card and the person presenting it and makes an access control decision based on validity of the card and its correspondence with the presenter. This mechanism is deprecated.
- Private Key
- The secret part of an asymmetric key pair that is typically used to digitally sign or decrypt
data.
- Pseudonym
- A name assigned through a formal process by a federal department or agency to a federal
employee for the purpose of the employee’s protection (i.e., the employee might be placed at risk if their
actual name were known) or for other purposes.
- Public Key
- The public part of an asymmetric key pair that is typically used to verify signatures or
encrypt data.
- Public Key Certificate
- A digital document issued and digitally signed by the private key of a certification authority
that binds an identifier to a cardholder through a public key. The certificate indicates that the
cardholder identified in the certificate has sole control and access to the private key.
SOURCE: [RFC 5280, adapted]
- Public Key Infrastructure (PKI)
- A support service to the PIV system that provides the cryptographic
keys needed to perform digital signature-based identity verification and to protect communications and
the storage of sensitive verification system data within identity cards and the verification system.
- PKI-Card Authentication (PKI-CAK)
- A PIV authentication mechanism that is implemented by
an asymmetric key challenge/response protocol using the card authentication key of the PIV Card and a
contact or contactless reader.
- PKI-PIV Authentication (PKI-AUTH)
- A PIV authentication mechanism that is implemented by
an asymmetric key challenge/response protocol using the PIV authentication key of the PIV Card and a
contact reader or a contactless card reader that supports the virtual contact interface.
- Recommendation
- A special publication of the ITL that stipulates specific characteristics of the technology to
use or the procedures to follow to achieve a common level of quality or level of interoperability.
- Registration
- See Identity Registration.
- Symmetric Key
- A cryptographic key that is used to perform both the cryptographic operation and its
inverse (e.g., to encrypt, decrypt, create a message authentication code, or verify
a message authentication code).
- Secure Messaging Key Authentication (SM-AUTH)
- An authentication mechanism where the secure messaging key and associated certificate are used for authentication.
- Security Executive Agent
- Individual responsible for the development, implementation, and oversight of effective, efficient, and uniform policies and procedures that govern the conduct of investigations and adjudications for eligibility to access classified information and eligibility to hold a sensitive position in the Federal Government. In accordance with Executive Order 13467 (as amended), this individual is the Director of National Intelligence (DNI).
- Symmetric Card Authentication Key Authentication (SYM-CAK)
- An authentication mechanism where the PIV Card is identified using the CHUID or another data element, and then the card responds to a challenge by signing the challenge value with the symmetric card authentication key. This mechanism is deprecated.
- Suitability and Credentialing Executive Agent
- Individual responsible for prescribing suitability standards and minimum standards of fitness for employment. With the issuance of Executive Order 13467, as amended, the Suitability and Credentialing Executive Agent is responsible for the development, implementation, and oversight of effective, efficient, and uniform policies and procedures governing the conduct of investigations and adjudications for Suitability, Fitness, and Credentialing determinations in the Federal Government. Pursuant to Sections 1103 and 1104 of Title 5, United States Code, and the Civil Service Rules, the director of the Office of Personnel Management (OPM) is the Suitability and Credentialing Executive Agent.
C.2 Acronyms and Abbreviations
The following acronyms and abbreviations are used throughout this Standard:
- AAL
- Authenticator Assurance Level
- AAMVA
- American Association of Motor Vehicle Administrators
- ACL
- Access Control List
- AID
- Application Identifier
- AIM
- Association for Automatic Identification and Mobility
- ANSI
- American National Standards Institute
- ASN.1
- Abstract Syntax Notation One
- ASTM
- American Society for Testing and Materials
- CA
- Certification Authority
- CAK
- Card Authentication Key
- CBEFF
- Common Biometric Exchange Formats Framework
- CDS
- Card Design Standard
- CHUID
- Cardholder Unique Identifier
- cm
- Centimeter
- CMS
- Cryptographic Message Syntax
- CMTC
- Card Management System to Card
- CMVP
- Cryptographic Module Validation Program
- CMYK
- Cyan, Magenta, Yellow, and Key (or blacK)
- COTS
- Commercial Off-the-Shelf
- CRL
- Certificate Revocation List
- CSE
- Communications Security Establishment
- CTC
- Cardholder to Card
- CTE
- Cardholder to External System
- CVC
- Card Verifiable Certificate
- DHS
- Department of Homeland Security
- DN
- Distinguished Name
- DOB
- Date of Birth
- DPCI
- Derived PIV Credential Issuer
- dpi
- Dots Per Inch
- ERT
- Emergency Response Team
- FAL
- Federation Assurance Level
- FASC-N
- Federal Agency Smart Credential Number
- FBI
- Federal Bureau of Investigation
- FICAM
- Federal Identity, Credential, and Access Management
- FIPS
- Federal Information Processing Standards
- FIPS
- PUB FIPS Publication
- GSA
- U.S. General Services Administration
- GUID
- Global Unique Identification number
- HR
- Human Resources
- HSPD
- Homeland Security Presidential Directive
- HTTP
- Hypertext Transfer Protocol
- HTTPS
- Hypertext Transfer Protocol Secure
- IAL
- Identity Assurance Level
- ICC
- Integrated Circuit Chip
- ID
- Identification
- IDMS
- Identity Management System
- IdP
- Identity Provider
- IEC
- International Electrotechnical Commission
- IETF
- Internet Engineering Task Force
- INCITS
- International Committee for Information Technology Standards
- IR
- Infrared
- ISO
- International Organization for Standardization
- IT
- Information Technology
- ITL
- Information Technology Laboratory
- mil
- Thousandth of an inch
- mm
- Millimeter
- MWR
- Morale, Welfare, and Recreation
- NACI
- National Agency Check with Written Inquiries
- NCHC
- National Criminal History Check
- NIST
- National Institute of Standards and Technology
- NISTIR
- National Institute of Standards and Technology Interagency or Internal Report
- NPIVP
- NIST Personal Identity Verification Program
- NVLAP
- National Voluntary Laboratory Accreditation Program
- OCC
- On-Card Biometric One-to-One Comparison
- OCSP
- Online Certificate Status Protocol
- OID
- Object Identifier
- OMB
- Office of Management and Budget
- OPM
- Office of Personnel Management
- PCI
- PIV Card Issuer
- PC/SC
- Personal Computer/Smart Card
- PDF
- Portable Data File
- PIA
- Privacy Impact Assessment
- PII
- Personally Identifiable Information
- PIN
- Personal Identification Number
- PIV
- Personal Identity Verification
- PKI
- Public Key Infrastructure
- pt
- Point (unit of measurement)
- RFC
- Request for Comments
- RP
- Relying Party
- SAML
- Security Assertion Markup Language
- SAN
- Subject Alternative Name
- SP
- Special Publication
- sRGB
- Standard Red Green Blue
- SSP
- Shared Service Provider
- URN
- Uniform Resource Name
- U.S.C.
- United States Code
- UUID
- Universally Unique Identifier
- UV
- Ultraviolet
C.3 Notations
This Standard uses the following typographical conventions in text:
- ASN.1 data types are represented in a
monospaced font
. For example, SignedData
and SignerInfo
are data types
defined for digital signatures.
- Specific terms in CAPITALS represent normative requirements. When these same terms are not in CAPITALS, the term does not represent a normative requirement.
- The terms “SHALL” and “SHALL NOT” indicate requirements to be followed strictly in order to conform to the publication and from which no deviation is permitted.
- The terms “SHOULD” and “SHOULD NOT” indicate that among several possibilities, one is recommended as particularly suitable without mentioning or excluding others, that a certain course of action is preferred but not necessarily required, or that (in the negative form) a certain possibility or course of action is discouraged but not prohibited.
- The terms “MAY” and “NEED NOT” indicate a course of action permissible within the limits of the publication.
- The terms “CAN” and “CANNOT” indicate a possibility and capability—whether material, physical, or causal—or, in the negative, the absence of that possibility or capability.