WidePoint subsidary ORC has issued U.S. Government authentication credentials since 1999. Our experience spans all facets of identity proofing, credential issuing, and the underlying public key cryptographic technology. We believe it’s not only about the card, it’s about the identity and individual accountability.
Government Compliant Identity Assurance
ORC has leveraged its experience providing superior support to the Federal Government to become one of the nation’s premier systems engineering firms with a specialization in Information Assurance (IA) and Security.
What’s the difference between a Certificate and a Credential?
A credential is an attestation of an individual’s identity by a third party. Typically limited to identity authentication, which occurs prior to assignment of roles or privilege designations (either physical or logical), a credential can be used in various environments to assign privileges consistent with the objectives and unique requirements of an organization.
In cryptography, a public key “certificate” (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with an identity—information such as the name of a person or an organization, their address, and so forth. The certificate can be used to provide very strong verification that a public key belongs to an individual.
In a typical public key infrastructure (PKI) scheme, the signature will be of a Certificate Authority (CA). In a Web of trust scheme, the signature is of either the user (a self-signed certificate) or other users (“endorsements”). In either case, the signatures on a certificate are attestations by the certificate signer that the identity information and the public key belong together.
The strength or “assurance level” of a credential is defined by NIST SP 800-63 with respect to specific technical requirements:
- Tokens (typically a cryptographic key or password) for proving identity
- Identity proofing, registration and the delivery of credentials which bind an identity to a token
- Remote authentication mechanisms, that is the combination of credentials, tokens and authentication protocols used to establish that a claimant is in fact the subscriber he or she claims to be
- Assertion mechanisms used to communicate the results of a remote authentication to other parties