ABSTRACT
There are cases where primary credentials are not sufficient for some purpose. A common example is the use of a Personal Identification Verification with a smartphone or other mobile device. A derived credential is a secondary credential that is issued based on the same vetting procedure as the primary credential. In this sense, the credential’s authenticity is derived from the same source as the primary credential’s authenticity. For authentication, the derived credential has the same Distinguished Name, and it may have the same issuer, but it has a different key pair. For encryption, the derived credential has the same public key as the primary credential. This allows seamless use of both for the same entity. To ensure derived credential security, they are installed on managed devices with mandatory security controls. The presence of both primary and derived credentials for the same user introduces some management challenges, such as which credentials to revoke under different types of compromise.
