Anil John
Making Digital Services Secure and Trustworthy

Anil John

NIST SP 800-73-3 and PIV-I

 Tweet  Share  Share  Comment  Print  Email

At a meeting yesterday Judy Spencer, co-chair of the Federal CIO Council ICAMSC, briefed that NIST had recently re-released Special Publication 800-73 [PDF] to account for PIV-I Card Issuance. These would be Smart Cards that can be issued by Non-Federal Issuer's and can potentially be trusted by US Government Relying Parties.

The relevant bits are in Section 3.3 of NIST SP 800-73-3 (Quoting below so that I can easily reference them in the future):

3.3 Inclusion of Universally Unique IDentifiers (UUIDs)

As defined in [10], the presence of a Universally Unique IDentifier (UUID) conformant to the specification [11] is required in each identification card issued by Non-Federal Issuers, referred to as "PIV Interoperable" (PIV-I) or "PIV Compatible" (PIV-C) cards. The intent of [10] is to enable issuers to issue cards that are technically interoperable with Federal PIV Card readers and applications, and that may be trusted for particular purposes through a decision of the relying Federal Department or Agency. Because the goal is interoperability of PIV-I and PIV-C with the Federal PIV System, the technical requirements for the inclusion of the UUID document are specified in this document. To include a UUID identifier on a PIV-I, PIV-C, or PIV Card, a credential issuer shall meet the following specifications for all relevant data objects present on an issued identification card.

  1. If the card is a PIV-I or PIV-C card, the FASC-N in the CHUID shall have Agency Code equal to 9999, System Code equal to 9999, and Credential Number equal to 999999, indicating that a UUID is the primary credential identifier. In this case, the FASC-N shall be omitted from the certificates and CMS-signed data objects. If the card is a PIV Card, the FASC-N in the CHUID shall be populated as described in Section 3.1.2, and the FASC-N shall be included in authentication certificates and CMS-signed data objects as required by FIPS 201.
  2. The value of the GUID data element of the CHUID data object shall be a 16-byte binary representation of a valid UUID[11]. The UUID should be version 1, 4, or 5, as specified in [11], Section 4.1.3.
  3. The same 16-byte binary representation of the UUID value shall be present as the value of an entryUUID attribute, as defined in [12], in any CMS-signed data object that is required to contain a pivFASC-N attribute on a PIV Card, i.e., in the fingerprint template and facial image data objects, if present.
  4. The string representation of the same UUID value shall be present in the PIV Authentication Certificate and the Card Authentication Certificate, if present, in the subjectAltName extension encoded as a URI, as specified by [11], Section 3.

The option specified in this section supports the use of UUIDs by Non-Federal Issuers. It also allows, but does not require, the use of UUIDs as optional data elements on PIV Cards. PIV Cards must meet all requirements in FIPS 201 whether or not the UUID identifier option is used; in particular, the FASC-N identifier must be present in all PIV data objects as specified by FIPS 201 and its normative references. PIV Cards that include UUIDs must include the UUIDs in all data objects described in (2) through (4).

At the site, you can also find a list of Credential Service Providers, cross-certified with the US Federal Bridge CA, who have the ability to issue PIV-I Credentials.

Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog ( The opinions expressed here are my own and do not represent my employer’s view in any way.

By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone