What's there in expiration date ???

Why Expiration Date for PIV Credentials ???

The physical access control systems (PACS) validate Identity before allowing entry and/or exit to a facility. The identity in a traditional physical access system is a plain, simple and traditional unique identifier which encodes the unique number using different technologies on the token. At times, physical access system obfuscates unique identity number by using encryption or scrambling.

PIV requires more than a unique identity number to be part of the card holder's unique identifier which will "bind" the holder to the token. In PIV lingo, this ID is known as the CHUID that has various components to it. The card holder is identified by not only the unique number but also the agency where he/she is employed, system code, credential and the expiration date of the identity card.

Why was there a need to add the expiration date to card holder's unique identifier?
Well, PIV has been designed for interoperability and to achieve real inter-agency operability the critical information on which the user is allowed to enter the facility should be available on the card, and be portable. Therefore, if Alice enters into facility FA, where she works, her identity can be verified. Now, lets say that Alice goes to facility FB, her identity can be verified by not only the agency code and credentials to grant or deny access, but also the expiration date along with agency code and credentials.

This is really the right design, for an interoperable and secure physical access control system. Therefore, I am all for it and would like to add that any implementation which doesn't implement the verification of expiration date is truly not an inter-operable PAC system. It also doesn't implement the specifications to its entirety.

Security systems that do not implement verification of expiration date into its access control policy through a database, expiration date on card MUST be checked and the date which comes first should hold priority over the other.

If a card that is issued to a visitor, the expiration date on the temporary badge must be encoded to have a temporal restriction to the facility. Let's win our freedom by not compromising the system anytime !!


---