Attachment 1
Frequently Asked Questions
Q: What is an electronic signature vs a digital signature?
A: A digital signature provides authenticity protection, integrity protection, and non-repudiation, but
not confidentiality protection as per NIST 800-63-3. The owner of a private signing key creates a
"digital signature" when they use that key to create a unique mark (the signature) on an electronic
document or file. The recipient employs the owner's public key to validate that the associated
private key generated the signature. This process also verifies that no one altered the document.
An Electronic signature is an electronic sound, symbol, or process, attached to or logically
associated with a contract or other record and executed or adopted by a person with the intent to
sign the record. A digital signature is a type of electronic signature.
Q: What is non-repudiation?
A: Provides proof of delivery to the sender and proof of the sender's identity to the recipient so that
neither party can later deny having processed the data. [NS4009]
● Technical non-repudiation refers to the assurance a Relying Party has that if a public key
validates a digital signature, that the corresponding private signature key made the signature.
● Legal non-repudiation refers to the establishment of possession or control of the private
signature key.
Q: What is digital authentication?
A: Digital authentication is an information system’s process of establishing confidence in
electronically presented user identities.
Q: What are the Identity Assurance Levels (IAL)?
A: Based on their risk profile and the potential harm caused by an attacker making a successful false
claim of an identity, agencies may select from the following three IAL options:
IAL1: An agency does not require linking the applicant to a specific real-life identity. Any
attributes provided in conjunction with the authentication process are self-asserted.
IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the
applicant is appropriately associated with this real-world identity. IAL2 introduces the need
for either remote or physically present identity proofing.
IAL3: Agencies require physical presence for identity proofing. An authorized and trained
representative of the Credentialed Service provider (CSP) must verify identifying attributes.
**NOTE: Find complete definitions of the Identity Assurance Levels in the National Institute of
Standards and Technology (NIST) Special Publication 800-63-3.
Q: What is meant by “low assurance” transactions?
A: In accordance with the NIST requirements, low assurance transactions are those that are lower
risk based on the nature of the transaction. For example, the use of a login name and password
verifies access to a system.
Q: Can I use the DOI Access Card to sign/approve forms from other federal, state, or local
agencies or from members of the public?
A: You can use the DOI Access Card to sign an electronic document if the source organization will
accept the use of the electronic signature. You should verify acceptance of the electronic
signature with the source organization prior to signing the document.