An official website of the United States government.

This is not the current EPA website. To navigate to the current EPA website, please go to This website is historical material reflecting the EPA website as it existed on January 19, 2021. This website is no longer updated and links to external websites and some internal pages may not work. More information »

Cross-Media Electronic Reporting Rule

Lesson 7: Key Decision 1 - Type of Credential Used

  • How Credentials Are Issued
    • Most credentials issued by or registered with the system require protection as they travel between registrant and system.
    • Credentials that are registered (rather than issued) may need the system to enforce strength requirements and—where issued by a third party—ensure authenticity.
    • Credentials that incorporate biometrics or include cryptographic keys will need specialized technologies to support them.
    • Credentials issued in connection with hardware tokens will require support for users' implementation.
  • Approach to Binding Signatures to Document Content
    • Credentials that include cryptographic keys may execute signatures that are automatically bound to the document being signed by incorporating a message digest or hash value uniquely related to the document content.
    • Other kinds of credentials lack this functionality, and so require an independent approach to signature binding.
  • How Signatures Are Validated
    • Signatures executed with third party credentials require interaction with the issuing authority to determine that the credentials are authentic.
    • Credentials that provide cryptographic keys may require decryption functionality for validation of the signatures they execute.
  • How Signatures Are Included in the COR

    Credentials that are included "in the clear" in the signatures they execute (for example, as a PIN or password) need to be "shielded" in some way on the copies of record (COR), for example, by being encrypted or hashed.

Back | Next