The recent announcement that the rebirth of the CLEAR registered traveler program will use a PIV-based smart card technology could be very good news. The initial registered traveler interoperability standards took place at the same time as FIPS 201 and they passed like planes in the night.
This blog, a white paper by the Smart Card Alliance, the Security Industry Association PIV working group, the AAAE BASIC program and others have pointed out the need to leverage the Personal Identity Verification Interoperability (PIV-I) framework. PIV-I is an interoperable, multi-use, trusted, standard and expandable platform and meets the needs for secure credentialing in the 21st century. The case should be closed.
And there is more good news on the aviation credentialing front coming from the RTCA. Its current airport security system specification—230-B—is getting a revisit to take advantage of the existing policy for PIV-I.
Where this remains unclear is how the FAA requirements for pilot “certificates” will play out. Pilots, law enforcement officers (LEOs) and others need to be included under the PIV-I credentialing umbrella.
The pilot certificate announcement just hit the Federal Register. It seems to only call out for photos, it would be a shame if all the credentials do not align in the aviation sphere of operations. Security for pilots needs to be above a “flash pass” bar. PIV-I also provides a way to accept credentials of Federal officials working in airports as well.
Down a level, it remains to be seen what kind of Public Key Infrastructure (PKI) certificates and biometrics are implemented on the PIV smart card announced by CLEAR. The standards here make this obvious. It is possible to make the misstep of not implementing a PIV identity to go with the PIV applet in this smart card. If I were paying for this I would certainly like to be able to use it for more than just airport fast lanes—though I guess this is enough for some.
Notwithstanding the previous and the education, migration, integration and operational steps ahead this is very good news for PIV-I. In particular it is good news for those who have made an investment and want to use PIV-I related identity infrastructure and applications.