This section is informative.
Deriving credentials is based on the process of an individual proving to a CSP that they are the rightful subject of an identity record (i.e., a credential) that is bound to one or more authenticators they possess. This process is made available by a CSP that wants individuals to have an opportunity to obtain new authenticators bound to the existing, identity proofed record, or credential. As minimizing the number of times the identity proofing process is repeated benefits the individual and CSP, deriving identity is accomplished by proving possession and successful authentication of an authenticator that is already bound to the original, proofed digital identity.
The definition of derived in this section does not imply that an authenticator is cryptographically tied to a primary authenticator, for example deriving a key from another key. Rather, an authenticator can be derived by simply issuing on the basis of successful authentication with an authenticator that is already bound to a proofed identity, rather than unnecessarily repeating an identity proofing process.
There are two specific use cases for deriving identity:
- A claimant seeks to obtain a derived PIV, bound to their identity record, for use only within the limits and authorizations of having a PIV smartcard. This use case is covered in SP 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials.
- An applicant seeks to establish a credential with a CSP with which the individual does not have a pre-existing relationship. For example, an applicant wants to switch from one CSP to another, or have a separate authenticator from a new CSP for other uses (e.g., basic browsing vs. financial). This use case is covered by allowable identity evidence in Section 5.2.
As stated above, all requirements for PIV-derived credentials can be found in SP 800-157. For the second use case described above, this guideline does not differentiate between physical and digital identity evidence. Therefore it is acceptable, if the authenticator or an assertion generated by the primary CSP meet the requirements of Section 5, for them to be used at identity evidence for IAL2 and IAL3. In addition, any authenticators issued as a result of providing digital identity evidence are subject to the requirements of SP 800-63B.