IDEF Registry

Entities that issue or manage credentials and tokens MUST implement industry-accepted processes to protect against their unauthorized disclosure and reproduction.

Potential controls that can be put in place to prevent unauthorized disclosure and reproduction include:

• The use of secure transport for credential and token data (see SECURE-2 (DATA INTEGRITY));
• Implementation of industry accepted cryptographic techniques for the storage of credential and token data (see SECURE-2 (DATA INTEGRITY));
• Implementation of industry accepted key management and protection techniques (see SECURE-11 (KEY MANAGEMENT));
• Out-of-band distribution of credentials or tokens;
• In-person issuance of credentials or tokens; and
• Anti-tampering and/or counterfeiting mechanism for tokens with a physical instantiation

FICAM TFPAP Trust Criteria, Registration and Issuance, LOA 2-3, #3 (p.21, 37)

TBA