| Panel | ||
|---|---|---|
| ||
(from policy directive 32-110) |
Introduction
| Excerpt |
|---|
The requirement to identify and authenticate a particular person establishes a need for an initial person proofing and registration process and an authentication process to support an identity assertion implied in each eSignature transaction. |
...
...
An identity assertion is a statement asserting a subject's identity; for example, I am Elvis Presley, or he is Elvis Presley. Discretion or due diligence in acceptance of identity assertions normally depends on context. It is normal to exercise more discretion when accepting an identity assertion about a prospective employee than when making introductions at a social event. Our interest in identity assertions is based on the requirement to identify and authenticate a particular person as the source of the electronic message. Due diligence in accepting the identity assertion may vary depending on the content and context of the electronic message, however, we can assume that for government transactions some proof, or authentication, will be required.
In the electronic transaction arena it is standard practice to exercise due diligence about a subject's self-identity assertion infrequently (usually just once). After establishing a known level of confidence in the self-identity assertion (through person proofing or identity proofing – - see below), electronic credential(s) are created and/or registered and delivered into the custody of the registrant. Then in future transactions, the registrant can present those electronic credentials, and the identity system can authenticate those credentials and produce a third-party identity assertion. (Because he has presented electronic credentials that the identity system authenticated as credentials registered to Elvis Presley, the identity system makes the identity assertion that he is Elvis Presley.)
...