|
FAQs
1.1) What is SISAC?
Secure Identity Services Accreditation Corporation (SISAC) is a wholly owned non-profit subsidiary of the Mortgage Bankers
Association of America (MBA) that develops and maintains industry standards for secure identity credentials to be used within
e-mortgage related transactions, and accredits issuers of secure identity credentials against these same standards.
1.2) What does SISAC provide to the mortgage industry?
SISAC defines minimum standards for technology, and policies and rule sets for governance of digital identity credentials.
Technology standards provide a baseline for technical interoperability between business solutions. Governance standards
provide a common foundation for business related issues. In addition, SISAC requires a contract infrastructure between participants
to ensure compliance to these standards. The combination of minimum technology and business requirements creates a trust
(or federated) network.
SISAC does not provide identity credentials, rather SISAC requirements are used to accredit and certify Public Key Infrastructure
(PKI) secure identity credential service providers. Accreditation of credential service providers is accomplished by an independent
3 rd party audit (or attestation) and SISAC review. Within the SISAC domain an accredited credential service provider is
called an Accredited Issuing Authority (AIA.)
1.3) Who are the major participants within SISAC?
There are four primary entities within SISAC: Auditors, Issuers, Subscribers, and Relying Parties.
-
Auditors – Auditors or Audit Firms ensure Issuers meet the standards and requirements set forth by SISAC, which are defined
in SISAC's Certificate Policy Requirements Document (CPRD). Every Issuer prior to accreditation requires an independent
or 3rd party audit/attestation from a SISAC accredited Auditor to verify that the Issuer meets SISAC requirements defined
in the CPRD.
-
Issuers – Issuers, or Accredited Issuing Authorities (AIAs) as they are referred to in SISAC, are responsible for the creation
and life cycle management of secure identity credentials. The criterion for accreditation requires an attestation from a
SISAC accredit Auditor.
-
Subscribers - A Subscriber is the holder or user of a secure identity credential, and is the identity defined within the secure
identity credential. Subscribers can come in the form of Lenders, Brokers, Appraisers, Closing Agents, County Recorders, Attorneys,
etc. Individuals, Organizations, or devices are all types of Subscribers.
-
Relying Parties – An entity (e.g., organization) that processes a secure identity credential for the purpose of providing
a security service (e.g., authentication) is a Relying Party. Relying Parties in the mortgage industry adhere to reasonable
reliance requirements defined by SISAC when processing secure identity credentials.
1.4) How does SISAC fit into eMortgage?
SISAC provides standards for secure identity credentials. Subscribers use their credentials to digitally sign electronic
records, access secured Web sites, communicate privately, and protect data from unauthorized tampering. Identity standards
combined with the Mortgage Industry Standards Maintenance Organization (MISMO) data and presentation standards provide secure,
interoperable and legally binding electronic records for the mortgage banking industry.
1.5) How does someone obtain a SISAC credential?
SISAC maintains a list of AIAs at http://www.sisac.org/ . Individuals or organizations can contact any listed AIA to request and receive a SISAC accredited secure identity credential.
Additionally, your business partner may be a source to reference an accredited credential provider.
<<RETURN TO TOP
2.1) What are SISAC's insurance requirements for AIAs?
A distinguishing factor of SISAC's accreditation services is the assignment of liability to the AIA for credentials issued
by that AIA, which includes insuring the credentials issued by the AIA. The credential insurance is a risk mitigation feature
that provides a Replying Party with a dispute resolution process and an opportunity to recoup financial loss as a result of
identity fraud. The identity fraud insurance is not universal; rather, the AIA is required to provide credentials based
on the SISAC minimum requirements. Issuers are liable for the processes and procedures to issue and manage credentials,
and the credential insurance is intended to cover “errors and omissions” associated with these processes and procedures; however,
it will not cover situations where fraudulent breeder documents (driver license, birth certificate, passport, etc.) were used
to obtain SISAC credentials.
Mortgage transactions are collateralized transactions. Additionally, the collateral is not transient. Therefore, the identity
fraud insurance required by SISAC does not cover fraud related to activities such as appraisal, credit scoring, or underwriting.
2.2) How is SISAC's secure identity initiative different from other identity management initiatives?
The origin of SISAC was a common need within the mortgage industry for reliable, secure, interoperable identity management.
No commercial credential service provider met the requirements of the industry. Multiple parties, including GSEs, lenders,
and technology provides came together to develop the requirements. The group recognized the needs for standards for authentication
of subscribers, liability associated with credential services provider, and a contract infrastructure to legally bind the
participants (i.e., AIAs, Subscribers, and Relying Parties). Additionally, identity management is generally not the core service
of the mortgage industry and the need to leverage existing commercial identity management infrastructure.
<<RETURN TO TOP
3.1) How does a Credential Service Provider become an Accredited Issuing Authority (AIA)?
Interested Credential Service Providers apply for accreditation by submitting a SISAC application. The candidate will be
required to submit their organizational information, product information, system and architecture topologies, technical and
physical configurations, certificate policy, and audit results (or expected audit results). The application is reviewed
by SISAC for completeness against the requirements. The final step is a signed agreement between the AIA and SISAC that
provides the AIA an approval for issuance by SISAC. All accredited issuing authorities will receive a SISAC “Mark” to designate
their approved status. Annual audits are required to maintain the approved status after the initial approval is granted.
<<RETURN TO TOP
4.1) What is the Certificate Policy Requirements Document (CPRD)?
The Certificate Policy Requirements Document (CPRD) contains the minimum baseline requirements, which must be met in order
to be a Mortgage Bankers Association of America (MBA) Accredited Issuing Authority (AIA) and related PKI Service Providers.
These minimum requirements set a standard for secure identity credentials within the mortgage industry and promote interoperability
among parties that issue and use these credentials. Those parties include (a) Certification Authorities; (b) Local Registration
Authorities; (c) Repositories; (d) End Entities, consisting of Certificate Holder/Subscribers and Authorized Relying Parties
and (e) and other PKI Service Providers such as auditors and insurers. The CPRD describes the roles, responsibilities, and
relationships of these parties and establishes the rules, procedures and requirements for the issuance, acquisition, management,
and use of Certificates to verify digital signatures and to sign, encrypt and authenticate electronic communications and digital
documents. The Policy Specifications portion of this document is modeled after and intended to comply with the Internet Engineering
Task Force (IETF) Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework.
4.2) How many Credential Types are defined by SISAC?
SISAC does not specify the applicability of credentials to applications. Rather, SISAC specifies three (3) types of credentials/certificates:
Basic, Medium, and High. The characteristics of these certificate types depend on the assurance levels for 1) the identification
and authentication procedures used by the AIA, 2) Subscriber private key storage, and 3) Subscriber certificate/key activation
data, as well as revocation notification, key size, and insurance. These certificate types allow a Relying Party to select
credentials that are appropriate for use within the Relying Party's environment. Hence, Relying Parties control and dictate
the types of identity credentials to be used within their environment.
4.3) What are the Identification & Authentication (I&A) requirements for Medium and High Assurance Certificate Types?
The distinguishing factor of the identification and authentication (I&A) process for Medium and High assurance certificates
is the in-person identity proofing of Subscribers applying for a SISAC credential. Although SISAC requires in-person identity
proofing at these levels, SISAC does not specify the details for how proofing the process is to be performed by the AIA.
This permits an AIA to define its I&A process for Medium and High assurance certificates based on its business practices and
Subscriber community, and may include the deployment of well-defined Local Registration Authorities (LRAs) that are known
to the AIA or leveraging already established Trusted Agents (e.g., US Post Offices) to perform the in-person proofing function.
SISAC will however evaluate the process proposed by an AIA to determine whether it meets the SISAC standards.
For example, the use of a corporate HR official as the Trusted Agent would be an example where SISAC may approve or reject
a proposed authentication process. For well-established organizations and government agencies the HR official will have
credibility. For a small business or Small Office of Home Office (SOHO), the reliance on an HR official may not be as credible.
4.4) Are there issues with a 2048 root key?
There are no specific technical issues related to a signing certificate key size of 2048. The benefit of a larger key length
is that it is more difficult to attack via brute force methods. An issue may arise, however, depending on when the AIA published
its trusted root certificate (e.g., the trusted root certificate may not be installed in older versions of browser software).
Many well-known PKI Service Providers populate their signing certificates (trust chain) in releases of the Operating System
or browsers. Microsoft has a program where vendors can publish the signing certificate as trusted root certificates.
In older browsers, a client may not have the latest trusted roots and therefore be unable to complete validation. The user
will be required to install an updated version of their browser, download the latest version of the trusted roots, or install
the signing certificate(s) directly.
4.5) Is FIPS 140-2 Level-2 a requirement for Registration Authorities (RAs)?
The CPRD allows for some interpretation with respect to how an RA application is accessed by an authorized individual. A
strict interpretation requires FIPS 140-2 level-2 storage of the private key for the RA. An alternative analysis allows
for the implementation of a trusted zone around the RA with multi-factor physical access controls. SISAC requirements allow
flexible configurations of an environment as long as access control requirements are achieved.
4.6) How is in-person I&A performed for organizational and device certificates?
The AIA needs to identity a trusted role that can perform the registration function (including any I&A functions) with the
organization, whether it's for organizational roles for people or for organizational devices. That person is then trusted
by the AIA to securely provide the registration information to the AIA (in the form of a certificate request.) The AIA authenticates
that the certificate request came from an authorized person for that organization, and that the certificate request matches
the privileges for that trusted registration agent (e.g., the trusted registration agent can actually request that type of
certificate for that organization.) If successful, the AIA returns a signed certificate to the trusted registration agent
(or to some other trusted entity - this is typically defined based on business processes.)
4.7) What is the difference between an individual representing an organization and an organizational certificate?
There are two varieties of organization certificates, individual and organization. One type merely binds someone's identity
to an organization, but the certificate is still unique to that individual (i.e., only that individual has access to the corresponding
private key.) The other type is a certificate that represents an organization, and not an individual, and the organizational
certificate may be issued to multiple individuals who are authorized to represent the organization (i.e., each individual
has access to the same private key.) These two scenarios are quite different and will depend on your business model.
4.8) How does SISAC manage the requirement for Medium/High private key storage media (FIPS level 1 or2) for device certificates?
An AIA will rely on the operation of the trusted registration agent to ensure these kinds of requirements are met. If the
private key needs to go into a specific crypto module, it's up to that RA to ensure that function is performed, either by
the RA or by the certificate holder. The CP/CPS, subscriber, or business partner agreements will obligate organization compliance.
4.9) A web server will require an organizational or device certificate, however most web servers software/hardware are not
FIPS certified. How does a business comply with the Medium/High private key storage media requirement?
Web servers pose a challenge in that not many organizations want to use hardware modules to store server keys. Additionally,
software modules on the web servers are generally not FIPS certified. Due to market forces, this is probably an area SISAC
will have to forego and just go with what industry has accepted for now. Although, there are hardware devices out there (that
are FIPS certified) that can be deployed on a server. These devices are usually used to perform SSL acceleration operations
and not for stronger key storage.
<<RETURN TO TOP
5.1) Who are the Accredited Issuing Authorities (AIA)?
 Once an AIA has successfully passed the independent audit and application process, SISAC will issue an accreditation seal.
The seal will designate the credential service provider as an approved SISAC AIA. A list of AIAs and their products (policy
identifiers) can be obtained via http://www.sisac.org/ or via email request to info@sisac.org. AIAs will be licensed to display the Accredited Issuer Seal:
5.2) What are the characteristics of an AIA?
Issuers are responsible for creation and life cycle management of identity credentials (digital certificates). Prior to
issuing credentials an AIA must become accredited. The criteria is the SISAC CPRD and the audit/attestation is performed
by an SISAC approved Auditor.
AIA is defined as:
-
Named as the Issuer of the identity credential (e.g., name in Issuer field in X.509 certificate), and
-
Ultimately responsible and liable for the subscriber identity named in the identity credential (e.g., name in Subject field
in X.509 certificate), from a relying party perspective.
AIA consists of the following functions:
-
Identity registration (including identification & authentication of subscribers)
-
Identity credential manufacturing (e.g., the building and signing of an X.509 certificate)
-
Identity credential publication services
-
Identity credential revocation services
AIA functions can either be performed:
-
In total by the AIA organization, or
-
By separate organizations that have appropriate contractual relationships in place with the AIA (e.g., 3 rd party organizations
to perform identity registration functions)
5.3) How do I identify the issuer field in a certificate?
The Issuer of the certificate is defined in the "issuer" field of the base X.509 certificate, and it is a Distinguished Name
(DN.) For more information on this, you can read section 4.1.2.4 in RFC 3280:
The issuer field identifies the entity who has signed and issued the certificate. The issuer field MUST contain a non-empty
distinguished name (DN.) The issuer field is defined as the X.501 type Name {X.501}.
5.4) What are the Obligations of an AIA?
The AIA is ultimately responsible for all aspects of the issuance and management of a particular PKI, and Certificates issued
therein, including: (i) the application and enrollment process; (ii) the Identification and Authentication process; (iii)
the Certificate manufacturing process; (iv) publication of Certificates; (v) Revocation of Certificates; (vi) renewal of Certificates;
and (vii) ensuring that all aspects of the AIA services and AIA operations and infrastructure related to Certificates issued
under an Approved CP are performed in accordance with the requirements, representations, and warranties of such CP, its related
CPS, and this CPRD, including notification of Certificate Issuance and Revocation.
<<RETURN TO TOP
6.1) Who are the Auditors?
 SISAC has an approval process for Auditors. The Auditor must demonstrate adequate technical training and proficiency in
engagement, knowledge of subject matter, and capabilities to perform audits on identity credential service providers. A
list of accredited Audit Firms can be obtained via email to info@sisac.org . Auditors will be licensed to display the Accredited Auditor Seal:
Only an AIA will have a requirement for an Auditor. While SISAC will maintain a list of approved auditors, an interested
credential service provider can propose an alternative audit firm. The audit firm will be required to seek approval from
SISAC prior to their ability to perform the audit.
6.2) Are Outsource Functions of an AIA Audited?
SISAC does not restrict the use of 3 rd party service providers by AIAs to support some of the AIA's overall identity management
operations. SISAC does require that an AIA establish a contract agreement with each 3 rd party service provider and that
an approved Auditor audit all AIA functions and operations. How the audit is performed is left to the discretion of the
approved Auditor.
What are some examples for auditing an AIA's 3 rd party provider?
Ex 1: Consider the environment where Organization A will be the Accredited Issuer (and hold liability) and Organization B will
be a 3rd party service provider, under contract with Organization A, to perform identity registration functions. Does SISAC
require the Auditor to physically audit Organization B?
SISAC does not require physical or on-site audit of Organization B in this example. The Auditor is permitted to use its
discretion with respect to its attestation of functions defined by Organization A and performed by Organization B (e.g., contracts/agreements
between the parties may be sufficient for an Auditor).
Ex 2: Continuing with example 1, what happens if Organization A forms a new relationship with Organization C and Organization
C will also perform some identity registration functions? Is Organization A, C, or both required to have an audit?
SISAC will require an assessment from an Auditor for Organization C. This example is described as a “material change” and
will require an examination. As the Issuer, Organization A is required to obtain an attestation within a period of 30 days.
SISAC does not place any specifics on the process. The Auditor is able to use their discretion with respect to the level
of due diligence to evaluate the material change.
Ex. 3: Consider a new example where Organization A is the Accredited Issuer (is listed as the Issuer and holds liability for the
credential) and Organization B is the 3 rd party provider to perform certificate-manufacturing operations (i.e., operate CA
servers that generate and produce the signed certificates). What is the audit requirement in this example?
Organization A will require an attestation for accreditation, which includes an attestation of Organization C's operations.
Ex 4: Organization A is the Accredited Issuer, as well as the certificate manufacture, operates under a common policy, but outsource
some functions such as the identity registration to a 3 rd party provider – Organization B.
This example is similar to examples 1 and 2 above. A material change has occurred in the accredited service. Some level
of attestation by the Auditor is required.
Ex 5: Organization A is listed as the Accredited Issuer and no functions are outsourced (i.e., Organization A performs all identity
management functions).
No additional attestation will be required after the initial accreditation, unless there is a material change to the accredited
system or a periodic audit (i.e., annual) is due to be performed.
Ex 6: Organization A manufactures certificates and manages their life cycle, but is not considered to be an Accredited Issuer.
Organization A is not responsible to obtain an audit, as it is not considered to be an Accredited Issuer. The Accredited
Issuer that will obtain Organization A's 3 rd party services to support certificate manufacturing will be required to obtain
an audit, which includes an attestation of Organization A's operations (this is similar to example 3 above).
Ex 7: Does SISAC accredit Policy and PKI Framework Infrastructure services such as Identrus?
At this time SISAC does not accredit large-scale policy frameworks such as Identrus. Therefore, each new issuing authority
would require accreditation. In the future, SISAC may evaluate and accredit large-scale policy framework services.
<<RETURN TO TOP
7.1) Who is a Subscriber?
A subscriber is an individual or organization that: (i) is defined in the subject field of a Certificate, or is responsible
for the Electronic Device named as [End Entity] of the Certificate; (ii) holds a Private Key that corresponds to the Public
Key listed in such Certificate and; (iii) enters into a Subscriber Agreement.
PKI uses the term Subscriber to designate the certificate holder or user of the credential. Subscribers can come in the form
of Lenders, Brokers, Appraisers, Closing Agents, County Recorders, Attorneys, etc. Individuals, Organizations, or devices
are all valid Subscribers. Any entity that has a requirement of being identifiable can be defined as a Subscriber.
7.2) What are the Subscriber Obligations?
A Subscriber Agreement governs a Subscriber's obligations. The Subscriber Agreement must require the Subscribers to: (i)
provide complete and accurate responses to all requests for information made by the AIA (or an LRA) during Applicant registration
and the I&A process; (ii) upon issuance of a Certificate naming the Applicant as the Subscriber, review the Certificate to
ensure that all Subscriber information included in it is accurate; and (iii) to accept or reject the Certificate in accordance.
Furthermore, a primary obligation of a subscriber is to protect his/her/its private key. The private key represents the
subscriber's identity.
<<RETURN TO TOP
8.1) What is a Relying Party?
An organization that depends on the processing of an identity credential is a Relying Party. Once a credential is received
the Relying Party will validate a Subscriber's certificate to determine reliance.
A Relying Party will be required to “accept” a Relying Party Agreement with each AIA for which the Relying Party has an established
relationship (i.e., the Relying Party accepts and processes credentials issued by the AIA). The agreement will describe
a Relying Party's obligations and restrictions with respect to establishing the Relying Party's reasonable reliance on a particular
certificate.
8.2) How does a Relying Party know a certificate meets SISAC requirements?
The SISAC certification process authorizes entities to issue credentials based on minimum standards. In reality, SISAC authorizes
the production of a specific product or products. These products, whether from a single AIA offering multiple types of
certificates or certificates from multiple AIAs, will be uniquely identified. Within every certificate the AIA is required
to define a unique policy Object Identifier (OID) that defines that certificate as either a Basic, Medium, or High assurance
SISAC credential. Relying Parties are required to verify the OID prior to the acceptance of a certificate. SISAC will
provide Relying Parties with a list of certified SISAC policy OIDs.
8.3) What are the Relying Party Obligations?
Generally, when a certificate is presented to a Relying Party by a subscriber the Relying Party must: (i) independently assess
the appropriateness of the use of a specific Certificate for any given purpose;(ii) utilize the appropriate software and/or
hardware to perform digital signature verification, including certification path validation; (iii) perform a certificate revocation
status check with respect to such certificate and logged the result of such status check; and (iv) ensure that such certificate
has been issued by an AIA, and that such Certificate contains an approved policy identifier that represents a Basic, Medium,
or High Certificate as defined in the SISAC CPRD. All verification procedures and status checks must be successful for each
certificate in a certificate chain before a Relying Party can act with reasonable reliance on a certificate.
8.4) Is there information to assist a Relying Party in understanding the value of SISAC and the use of SISAC credentials in
Relying Party applications?
A Relying Party Guidelines and Best Practices white paper is available and can be obtained at the SISAC web site, http://www.sisac.org/.
<<RETURN TO TOP
9.1) What are SISAC's Digital Signature Requirements?
Neither SISAC nor MISMO place any specific requirements on electronic signatures. The government's e-Signature laws allow
for a diverse set of symbols to represent legal electronic signatures. In essences, a click through process signature is
as valid as a digital signature using a digital certificate. The organization or Relying Party controls the choice of electronic
signature method. It is worth noting that Relying Parties may place some constraints governing electronic signatures in
a transaction. For example, a Relying Party may restrict the use of voice (audible) recordings. Businesses are recommended
to consult with internal legal and compliance representatives prior to any decision on electronic signature methods.
9.2) Where can I find more information about SISAC?
For more information on SISAC please visit http://www.sisac.org/ or contact us at info@sisac.org or via our online contact form HERE.
<<RETURN TO TOP
10.1) Are there examples on the use of SISAC accredited credentials in e-mortgage related transactions and applications?
Business Case 1 – Recording Title
The business case is to connect Lenders, Servicers, Title Companies, and related businesses (default attorneys) with County
Records. A Mortgage Services Provider will act as a broker providing a Web based service to facilitate the signing, tamperproof
evidence seals, and communication pipeline. Closing Agents will electronically transmit titles to County Records. The
Recorder will acknowledge receipt of the Title by responding with a positive confirmation. This scenario will allow affiliated
and non-affiliated businesses to conduct electronic recordings within minutes of a closing. A leading provider of clearinghouse
services will host the application and obtain accreditation as the issuer (AIA). Future markets include connecting the Lenders,
Servicers, and Title Companies directly to each other.
Business Case 2 – Service Ordering Appraisals
ABC has a current application that allows Appraisers to submit their information electronically. The business objective
is to assure appraisers and other loan service providers that their documents will reach recipients with integrity (tamperproof
seal), giving lenders superior confidence that the files they're getting from authorized vendors have not been altered in
transit. The electronic transmission of an appraisal, digital images, and other supporting collateral will reduce delivery
costs and improve process speed. The authentication process will be virtual (no in-person) and ties the Appraisers' licensure,
insurance and professional credentials to his signature. No physical authentication and electronic delivery will increase
the demographics of the service. ABC will outsource manufacturing of credentials to a 3 rd -party PKI Service Provider.
The PKI Service Provider will receive SISAC accreditation as an issuer.
Business Case 3 – eOrigination, eClosing, and eDelivery
A financial institution has adopted a goal of allowing men and women serving overseas -- or on the seas -- to sign off on
a loan anytime they're away from home. The goal is to provide financial services no matter where their customer is in the
world. The financial institution has trained closing agents to execute electronic signature transactions. Working with an
investor, the credit union developed a pilot project in which borrowers applied for a mortgage online or by telephone. Next,
flood certification, a credit report, tax information and the appraisal were ordered and received electronically. Then, at
closing, borrowers were invited to sign final documents online, using a mouse-enabled electronic signature. The note was then
transferred to the investor electronically.
<<RETURN TO TOP
|
