View this document as: a single page | multiple pages.

Appendix B. PIV Object Identifiers and Certificate Extension

This appendix is normative. It provides additional details for the PIV objects identified in Section 4.

B.1 PIV Object Identifiers

Table B-1, Table B-2, and Table B-3 list details for PIV object identifiers.

Table B-1. PIV Object Identifiers for PIV eContent Types

ID Object Identifier Description
id-PIV-CHUIDSecurityObject 2.16.840.1.101.3.6.1 The associated content is the concatenated contents of the CHUID, excluding the asymmetric signature field.
id-PIV-biometricObject 2.16.840.1.101.3.6.2 The associated content is the concatenated CBEFF_HEADER + STD_BIOMETRIC_RECORD.

Table B-2. PIV Object Identifiers for PIV Attributes

ID Object Identifier Description
pivCardholder-Name 2.16.840.1.101.3.6.3 The attribute value is of type DirectoryString and specifies the PIV cardholder’s name.
pivCardholder-DN 2.16.840.1.101.3.6.4 The attribute value is an X.501 type Name and specifies the DN associated with the PIV cardholder in the PIV certificates.
pivSigner-DN 2.16.840.1.101.3.6.5 The attribute value is an X.501 type Name and specifies the subject name that appears in the PKI certificate for the entity that signed the biometric data record or CHUID.
pivFASC-N 2.16.840.1.101.3.6.6 The pivFASC-N OID MAY appear as an X.501 type Name in the otherName field of the Subject Alternative Name extension of X.509 certificates or a signed attribute in CMS external signatures. Where used as an X.501 type Name, the syntax is OCTET STRING. Where used as an attribute, the attribute value is of type OCTET STRING. In each case, the value specifies the FASC-N of the PIV Card.

Table B-3. PIV Object Identifiers for PIV Extended Key Usage

ID Object Identifier Description
id-PIV-content-signing 2.16.840.1.101.3.6.7 This specifies that the public key MAY be used to verify signatures on CHUIDs and biometric data records.
id-PIV-cardAuth 2.16.840.1.101.3.6.8 This specifies that the public key is used to authenticate the PIV Card rather than the PIV cardholder.

The OIDs for certificate policies are specified in [COMMON].

B.2 PIV Background Investigation Indicator Certificate Extension (Deprecated)

The PIV background investigation indicator (previously known as the NACI indicator) is deprecated under this version of the Standard, and it is expected that the indicator will be removed from a future revision. Instead of the on-card indicator, background investigative status is commonly maintained in each agency IDMS and personnel security system as well as in the Central Verification System (or successor). The status of the investigation can be communicated as needed using federation protocols.

If used, the PIV background investigation indicator extension indicates to the issuer whether the subject’s background investigation was incomplete at the time of credential issuance. The PIV background investigation indicator extension is always non-critical. The value of this extension is asserted as follows:

The PIV background investigation indicator extension is identified by the id-piv-NACI object identifier. The syntax for this extension is defined by the following ASN.1 module:

PIV-Cert-Extensions { 2 16 840 1 101 3 6 10 1 }
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
-- EXPORTS ALL --
-- IMPORTS NONE --
id-piv-NACI OBJECT IDENTIFIER ::= { 2 16 840 1 101 3 6 9 1 }
NACI-indicator ::= BOOLEAN
END