Identity Quality Calculation | ||
Determined Value | Weighting of This Value | |
Quality of Ownership | ||
Choose the ONE that is closest | ||
The identity is not "owned" but is simply a username that was created by the user for access to a particular application or set of applications. | 0 | |
The identity was established by, and is owned by, a principal relying party such as an employer, strictly for use in a single application provided by the principal relying party | T | 1 |
The identity was established by, and is owned by, a principal relying party such as an employer, strictly for use in the principal relying party's limited set of applications. | 2 | |
The identity was established by, and is owned by, a principal relying party such as an employer, strictly for use in the principal relying party's local area network. | Y | 2 |
The identity was established by, and is owned by, a principal relying party such as an employer, strictly for use in the principal relying party's local and wide area network. | T | 3 |
The identity was established by, and is owned by, an independent enrollment authority only for use in the network of one principal relying party such as an employer. | T | 4 |
The identity was established by, and is owned by, an independent enrollment authority only for principally for the benefit of one principal relying party such as an employer but is available for use elsewhere. | Y | 5 |
The identity is owned by a government entity. | 5 | |
The identity is "user centric SSO", established by the user, with ownership not specified. | 5 | |
The ownership of the identity is explicitly that of the user, for use in applications and networks of multiple relying parties. | Y | 6 |
The identity is owned by a bank or financial services firm, for use in the accounts with an available cash balance; the bank or financial services firm is the sole relying party. | 6 | |
The identity is owned by a bank or financial services firm, for use in the accounts with an available cash balance and also for use in applications and networks of multiple relying parties. | 7 | |
The ownership of the identity is explicitly that of the user, for use in applications and networks of multiple relying parties, at least one of which is a bank account or other financial services account with an available cash balance. | 8 | |
The Quality of Ownership Score of this Identity is | ||
Quality of Enrollment Practices | ||
Enter T beside each criterion that is true. | ||
Certified copy of birth certificate sent directly from registry to enrollment officer at enrollee request | Y | 7 |
Certified copy of birth certificate sent directly to enrollment officer by EO request | n | 8 |
Procedure supervised by CEP-certified Enrollment Officer | Y | 8 |
CEP-Approved PII Corroboration Procedure Used? | 8 | |
voice recording of enrollment procedure | 6 | |
Database records of voice recording of authenticatable separate digits 0-9 | 8 | |
video recording of enrollment procedure | 8 | |
Signed time and date stamp | 5 | |
Signed GPS location | 6 | |
If Remote: | ||
CEP-Approved email address lightweight validity check | 1 | |
CAPCHA used in lightweight enrollment form | 1 | |
CEP-Approved cookie placement procedure | 3 | |
MAC and IP addresses of enrollee client device recorded | 3 | |
CEP-Approved two-channel (net+phone) lightweight validity check | 4 | |
One Government-Issued Photo ID faxed? | 4 | |
One Government-Issued Photo ID presented to camera? | 5 | |
Two Government-Issued Photo IDs faxed? | 5 | |
Two Government-Issued Photo IDs presented to camera? | 6 | |
If Face-To-Face: | ||
CEP-Approved Affidavit and Oath by Notary, JP, or Commissioner of Deeds? | 7 | |
CEP-Approved Affidavit and Oath by Signing Agent or Immigration / Consular Official? | 8 | |
CEP-Approved Affidavit and Oath by Tabelio Officer or Latin Notary? | 9 | |
One Fingerprint recorded? | 4 | |
Two fingerprints recorded? | T | 5 |
ten fingerprints recorded? | Y | 6 |
face? | 5 | |
Iris | 7 | |
Retina | 8 | |
Voice | 5 | |
dna? | 8 | |
hand? | 4 | |
Raw Quality of Enrollment Score | ||
The Quality of Enrollment Practices Score of this Identity is | ||
Quality of Attestation | ||
No certification | 0 | |
Identity provided by IdP | 1 | |
Identity Provided by and attested by IdP | 2 | |
Identity Provided by IdP via X.509 certificate | 3 | |
Identity Provided by and attested by IdP via X.509 certificate | 4 | |
Identity Provided by and attested by CA via X.509 certificate | 4 | |
Identity Provided by and attested by WebTrust Audited General Purpose CA via “Level 1” X.509 certificate | 3 | |
Identity Provided by and attested by WebTrust Audited General Purpose CA via “Level 2” X.509 certificate | 4 | |
Identity Provided by and attested by WebTrust Audited General Purpose CA via “Level 3” X.509 certificate | 5 | |
Identity Provided by and attested by WebTrust Audited General Purpose CA via “Level 4” X.509 certificate | 7 | |
Identity Provided by and attested by WebTrust Audited Personal Identity CA via X.509 certificate | 8 | |
Identity Provided by and attested by WebTrust Audited Public Authority Identity CA via X.509 certificate | 9 | |
Quality of Means of Assertion | ||
Credential stands by itself and is not associated with an identity from an identity assertion network | ||
Credential is assertable only as a username in a single organizational network | 0 | |
Credential is assertable only on a single online resource such as a Web site | 0 | |
Credential is assertable only through a proprietary group of online resources such as a group of related Web sites or a federated identity network | 1 | |
Credential is assertable through OpenID, CardSpace or Liberty Alliance | 4 | |
Credential is assertable through I-Name | 5 | |
Credential is assertable through multiple identity assertion networks | 6 | |
Credential is assertable through all current identity assertion networks | 8 | |
Quality of Credential Carrier (“wallet” or “token”) | ||
0: private key is stored on the hard drive of a network-connected computer running a personal computer operating system without firewall protection | 0 | |
1: private key is stored on the hard drive of a network-connected computer running a personal computer operating system with an intrusion prevention mechanism whose quality has been verified by the enrollment officer | 1 | |
2: private key is stored in a verified “sandbox” area on a device such as a mobile phone but without isolation from the device's general operating system | 2 | |
3: private key is stored in a verified isolated device with a separate operating environment on a device such as a mobile phone, isolated from the device's general operating system, as verified by the enrollment officer | 3 | |
4: private key is stored in a verified isolated device with a separate operating environment on a device such as a mobile phone, isolated from the device's general operating system; all cryptographic operations are performed in the isolated portion of the device, as verified by the enrollment officer. Use of the private key is enabled by input of passcode from the keypad of the mobile device. | 4 | |
5: private key is stored in a verified isolated device with a separate operating environment on a device such as a mobile phone, isolated from the device's general operating system; all cryptographic operations are performed in the isolated portion of the device, as verified by the enrollment officer. Use of the private key is enabled by input of passcode or biometric on the isolated portion of the device and not from the keypad or biometric input of the mobile device. | 5 | |
6: private key is stored in a verified isolated device with a separate operating system that meets the “Osmium” standard for isolated cryptographic operating systems or an equivalent standard for HSM devices on a device such as a mobile phone, isolated from the device's general operating system; all cryptographic operations are performed in the isolated portion of the device, as verified by the enrollment officer. Use of the private key is enabled by input of both a passcode and a biometric on the isolated portion of the device and not from the keypad or biometric input of the mobile device. | 6 | |
7: private key is stored in a verified isolated device with a separate operating system that meets the “Osmium” standard for isolated cryptographic operating systems or an equivalent standard for HSM devices on a device such as a mobile phone, isolated from the device's general operating system; all cryptographic operations are performed in the isolated portion of the device, as verified by the enrollment officer. Use of the private key is enabled by input of both a passcode and a biometric on the isolated portion of the device and not from the keypad or biometric input of the mobile device. Additionally, the isolated device has a display, circuitry and Osmium-grade software that is suitable for image-verification of a remote facility for authenticity | 7 | |
8: private key is stored in a verified isolated device with a separate operating system that meets the “Osmium” standard for isolated cryptographic operating systems or an equivalent standard for HSM devices on a device such as a mobile phone, isolated from the device's general operating system; all cryptographic operations are performed in the isolated portion of the device, as verified by the enrollment officer. Use of the private key is enabled by input of both a passcode and a biometric on the isolated portion of the device and not from the keypad or biometric input of the mobile device. Additionally, the isolated device has a display, circuitry and Osmium-grade software that is suitable for image-verification of a remote facility for authenticity; and a system in which the verification image exists only in encrypted form, with all cleartext versions of the image having been destroyed | 8 | |
Quality of Assumption of Liability | ||
AL Code 0: No assumption of liability by any party | 0 | |
AL Code 1: Used only for certificates produced by non-notarial enrollment processes: Enrollment Officer assumes at least $5,000 liability for the integrity of the enrollment process, meaning that the enrollment officer takes responsibility for the subject's correct identity. | 1 | |
AL Code 2: The enrollment was notarial, which means enrollee is under penalty of perjury for any false information in oath and affidavit and the enrolling notary (not necessarily the same person as the enrollment officer) assumes criminal liability against fraudulent enrollment. However, no financial liability is assumed. | 2 | |
AL Code 3: The enrollment was notarial, and the subject assumes at least $10,000 liability for acts of fraudulent enrollment; however, such liability is not covered by insurance or bond. | 3 | |
AL Code 4: The enrollment was notarial, and the subject assumes at least $5,000 bonded or insured liability for acts of fraudulent enrollment. | 4 | |
AL Code 5: The enrollment was notarial, the subject, enrolling notary and enrollment officer (if different from enrolling notary) each assumes at least $5,000 bonded or insured liability for acts of fraudulent enrollment. | 5 | |
AL Code 6: The enrollment was notarial, the subject, enrolling notary and enrollment officer (if different from enrolling notary) each assumes at least $25,000 bonded or insured liability for acts of fraudulent enrollment. | 6 | |
AL Code 6: The enrollment was notarial, the subject, enrolling notary and enrollment officer (if different from enrolling notary) each assumes at least $25,000 bonded or insured liability for acts of fraudulent enrollment; and the subject assumes at least $100,000 liability, bonded or insured, for any fraudulent act committed with the use of this identity credential or any derivative credential or certificate. | 6 | |
AL Code 7: The enrollment was notarial, the subject, enrolling notary and enrollment officer (if different from enrolling notary) each assumes at least $25,000 bonded or insured liability for acts of fraudulent enrollment; and the subject assumes at least $1,000,000 liability, bonded or insured, for any fraudulent act committed with the use of this identity credential or any derivative credential or certificate. | 7 | |
AL Code 8: Enrollment Officer verifies initially and at least yearly thereafter that the subject of the identity certificate carries a bond of $5 million or more that insures not only the identity of subject but against fraud in all transactions and events that the subject signs with the identity credential or any derivative credential or certificate. | 8 | |
AL Code 9: Subject is bonded and the bond applies to any instance where the credential is misused; subject assumes liability for any and all misuse of the credential. Bonding events, including commitments regarding the use of the bond, are are signed by the bond issuer and are updated at each bonding or bond usage event; and are made available in an InDoor space to relying parties. | 9 | |