Components

The DCP components integrate different identity and credentialing service providers to enable the issuance of derived credentials in accordance with the industry best practice guided by NIST Special Publication 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials. The architecture and component listing below detail the elements of the DCP.

1) Shared Identity Provider Interface

Interfaces with shared service providers to retrieve identity and credential information for qualified candidates. This enable organizations quickly locate users and receive verified identity data to begin the derived credential issuance process.

2) Employment Monitor

In additional to monitoring the user's credential, it is important that the employment status also be monitored to ensure the derived credentials are revoked if the employee separates from their employer. This interface monitors the employment status to detect employment separation and manage the associated certificates accordingly. 

3) Device Registration and Verification

A core security element for issuing derived credentials is to verify the user requesting the certificate is the proper owner of the device the credential will be deployed to. DCP performs a 3 phase verification check to ensure the device does below to the requesting user. Using a combination of the cryptography, physical device verification and credential deployment verification steps, DCP ensures the all phases of the request and delivery process are controlled to minimize fraudulent requests. 

4) Certificate Authority 

Interfaces with the certificate authority to process and retrieve certificates.

5) Mobile and Credential Management System Interface

The IdExchange can be configured to connect to existing mobile device management systems to enable automatic device verification and certificate delivery. Additionally, the IdExchange can connect to the HID Card Management System to exchange credential information and for derived credentialing services. 

6) Reports

The IdExchange will provide reports to provide details concerning the users, devices and certificates. These reports help to show the entire lifecycle of the credential issuance process.

7) Credential Publication

The system will provide a secure location for user's to download their derived credentials via API and web browser access.

8) Application Programming Interface (API)

The system provides a REST based API that enables system to system interaction to automate the derived credential issuance process.