City Hall for the Digital Age
Time-tested bedrock: Duly Constituted Public Authority
Osmio’s Vital Records Department is a certification authority that limits its practice to creating, maintaining, and protecting identity certificates.
Your Vital Records Department is here to serve you and your organization by facilitating the issuance of reliable identity credentials. Once issued, all of our credentials may be asserted at any online facility, site, or application that accepts OpenID or various other identity assertion methods. The Osmio VRD Certification Authority provides OCSP and CRL facilities to enable relying parties to verify the certificate's validity and its level of Identity Quality.
The Vital Records Department works with Notaries, Attestation Officers, and enrollment services providers, and with relying parties such as our own Buildings and Professional Licensing departments, to ensure that credentials with appropriate levels of Identity Quality are available.
Throughout Osmio and the regions for which Osmio serves as administrative capital, entry into a building that carries a proper occupancy permit will require an identity credential of a minimum Identity Quality that is appropriate to the purposes of the building, or of an office within the building, as determined by the person responsible for the facility.
To enable your entry into buildings with occupancy permits and to participate in most activities that take place in Osmio, you will need to obtain an identity credential of minimum standard reliability. This office can assist you in obtaining identity credentials, both attested and unattested. Please get in touch with us if you still have questions after viewing the following listings and links.
The Certification Practice Statement (CPS)
The Osmio Vital Records Department (VRD) Certification Practice Statement is the principal statement of policy governing its operation. This Certification Practice Statement (CPS) sets forth the business, legal, and technical requirements for providing certification services, to include: (1) approving, issuing, managing, using, revoking and renewing digital certificates; (2) maintaining an X.509 Certificate-based public key infrastructure in accordance with the certificate policies determined by the Osmio Certification Practices Commission; and (3) managing Osmio VRD repository operations.
The Vital Records Department manages the application of the Enrollment Component and the Identity Reliability Component of QEI (the Quiet Enjoyment Infrastructure).
- Certification Practice Statement
- Enrollment Component of QEI
- Identity Reliability Component of QEI
Enrollment: Establishing Digital Identity
The front line of Authenticity™
Enrollment means establishing a record of your identity with the Osmio Vital Records Department, which enables you to obtain the identity credentials you need to carry out your activities in the online and physical world as you interact with “relying parties” – people and entities who rely on knowing who you are, with measurable certainty.
Quality of enrollment
Identity Quality is an important consideration in enrollment. The second of the eight measures of identity quality (IDQA™) is “Quality of Enrollment Practices.” An enrollment can be performed either face-to-face in a notarial procedure, or it can be performed remotely, using a variety of “out of band” methods of verifying a claim of identity, where “out of band” refers to the acquisition of evidence of identity from channels other than the channel by which the identity was asserted (claimed). Obviously a face-to-face procedure will yield a higher Enrollment Quality score; but that can be costly in both time and money and for many purposes a remote enrollment will suffice. The Enrollment Quality score of a credential can be upgraded at any time by means of a higher-quality enrollment procedure. There are cases where an upgrade cannot be done – for example, if the Enrollment Quality score were in the certificate itself.
There are three broad categories of enrollment, in increasing order of enrollment quality:
- Self-service Remote, no notarial involvement
- Virginia Digital Birth Certificate™ Remote, with “Virginia” notary
- F2F (face-to-face) Digital Birth Certificate™ Face-to-face, with notarial agent
The face-to-face procedure can be performed by any notary anywhere in the world who is equipped to capture the recital of the Oath of Identity on video and where an Internet connection can be established.
Virginia notary
The U.S. State of Virginia has instituted an e-Notary program whereby specially qualified Virginia notaries can perform notarial acts, including the administration of oaths and jurats, over an audio-video link. The affiant (the person swearing the oath) can be anywhere in the world. This enrollment procedure provides a convenient and cost-effective alternative to a face-to-face enrollment.
The enrollment process
EOI: Evidence of Identity
Enrollment begins with the collection of EOI – Evidence of Identity.
In the case of a self-service enrollment, EOI is not kept. In the case of Virginia or F2F enrollment, the subject may choose to have whatever evidence supporting the identity claim recorded and given to the subject either online or on a thumb drive, or kept by the Attestation Officer, or both, or neither. Having the EOI kept by the Attestation officer can increase the IDQA score.
The Foundational Certificate and PCN/PEN (key pair)
The next step in the enrollment procedure is the establishment of a Foundational Identity Certificate and corresponding PEN, which are not designed to be used for day-to-day authentication and signing, but rather are designed to be the “breeder” puzzle kit (PCN-PEN pair), kept in a safe or bank safe deposit box. The Foundational Certificate and PEN are used only to generate Utility Certificates that are embedded in smart cards, tokens, and phone SD chips. The linkage between Foundational and Utility is disclosed only under license from the subject (S\see the Personal Information Ownership Component of QEI for details.)
In each case a PCN-PEN number pair is generated. The PCN of the pair is used as the basis for either a direct CSR (certificate signing request) or, in the case of either Virginia or F2F Digital Birth Certificate, an Indirect CSR. (The Indirect CSR is used because only a CSR signed by an Enrollment Authority (RA in traditional PKI terminology) will be recognized by the Osmio VRD Certification Authority server.
After the Direct Foundational CSR is sent to the Osmio Vital Records Department, together those items constitute a certificate signing request (CSR).
Because the Foundational Certificate includes personal information, it is kept secure and is asserted only when the subject needs a new utility credential for everyday use. The utility credential contains no personal information.
The Digital Birth Certificate™
A Digital Birth Certificate™ enrollment procedure results in the highest Enrollment Quality score (IDQA metric #2) of all available enrollment procedures and is intended for relying-party situations that call for the highest level of Identity Quality.
The procedure is performed by a public official: an Attestation Officer. It calls for the generating of an Affidavit of Identity and the recital of an oath based upon that affidavit. The oath recital is captured on video with voice, with the resulting files – affidavit and video – being digitally signed by the Attestation Officer.
The resulting identity certificate – also called a Digital Birth Certificate™ – serves either as a utility credential for everyday single-sign-on use or as your Foundational Certificate from which utility credentials can be easily generated. The Foundational Certificate approach enables "accountable anonymity" – the ability to assert identity without disclosing identity. It also means that a lost utility credential can be easily replaced, maintaining continuity with its predecessor credential.
After a Digital Birth Certificate enrollment, the subject is given the choice of keeping his or her enrollment record, including the oath video, completely in offline storage media (one for the subject and, with the consent of the subject, one for the Attestation Officer) or making it a part of their Disclosure Practice Statement. While most enrollees will be advised to keep such sensitive information offline, a few individuals who want to engage in high-value transactions remotely will want the records to be made available as a backup to their digital signature on, for example, a remotely executed purchase and sale agreement for a substantial asset. That allows a relying party to gain an additional measure of assurance by looking at the enrollment video for one more item of assurance that the counterparty is who they say they are before executing the transaction.
Credential strength
While identity credentials that are backed by notarial public authority – Digital birth Certificates – are the strongest and most reliable, they tend to be more costly than those produced by a remote enrollment process – such as self-service – without notarial authority. Some relying party applications such as professional licenses for Architects, Contractors, appointments of public officials and others can only be issued to individuals who hold a valid Digital Birth Certificate™. Many facilities, however, can be accessed using lesser credentials.
Scheduling Digital Birth Certificate™ enrollments
Enrollment engagements are managed by Enrollment Agencies that are licensed by the City of Osmio Vital Records Department. The Enrollment Agency will be able to explain what is involved, including costs and availability of Attestation Officers to perform enrollments either at your place of business or theirs.
Before scheduling a Digital Birth Certificate enrollment session, the enrollee must be aware that the swearing of an oath places them under penalty of perjury.
Death certificates
Osmio and its administrative domains, a Death Certificate consists of a Digital Birth Certificate or other digital identity certificate plus a certification by an enrollment officer that he or she has been presented with satisfactory evidence that the enrollee is deceased (normally a paper death certificate), an attestation that the keys of the deceased and any enrollment records were conveyed to an heir, and a listing of any non-escrowed encrypted keys or enrollment records for which decryption keys do not exist.