...
Action item (identify section and sub-section) | Who (Univ. unit) | Type (documentation, infrastructure, procedure, Token Administration System) | Effort (Major, moderate, minor, complete) |
|---|---|---|---|
4.2.3 Credential Technology – This section does not apply to multifactor credentials. Documentation will be produced to show how Virginia Tech’s credential technology meets or exceeds IAP requirements. Where guidance is needed, we will refer to NIST 800-63. | IMS, SETI | Documentation | moderate |
Management Assertion
The Virginia Tech User Certification Authority issues an X.509 personal digital certificate (PDC) onto a SafeNet 64K USB eToken Pro device. The eToken is activated using a password. Public-private key exchange (client SSL) is used to perform authentication. This is not a typical "Shared Authentication Secret" form of Identity Credential, but the institution asserts that this multi-factor credential meets or exceeds the requirements of the IAP. Additional guidance is provided in NIST 800-63.
...
Action item (identify section and sub-section) | Who (Univ. unit) | Type (documentation, infrastructure, procedure, Token Administration System) | Effort (Major, moderate, minor, complete) |
|---|---|---|---|
4.2.4.2 Credential revocation or expiration – item #1 specifies the IdPO shall revoke Credentials or Tokens within 72 hours of being notified that a credential is invalid or compromised. We must document this in CPS and publish/enforce procedures. | SIES for draft language, PMA for approval | Documentation, procedure | minor |
4.2.4.4 Credential issuance records retention – IdPO shall retain records of credential issuance and revocation for minimum of 180 days beyond expiration of the credential. VT User CPS states VTCA retains audit logs for 1 year. | PMA, SIES | documentation, Infrastructure, TAS | minor |
Management Assertion
The authentication Credential is bound to the physical Subject and to the IdMS record pertaining to the Subject.
...