Qualified Products List Join the Ecosystem Buy a SAFE Certified Credential Get in Touch FAQ’s

SAFE Identity
Bridge CA

There are many options in the marketplace today for establishing identity in computer-based business transactions. However, only one solution offers the strong, robust identity credential required for high value transactions and has become the government standard for identity assertion.

This solution is the Public Key Infrastructure (PKI) –based digital credential. In addition to its strength as an identity credential, the PKI credential offers a versatility that enhances business workflow productivity and security through non-repudiation for digitally signed objects, real-time access control decision-making, and protection for data in transit and at rest.

The technology behind PKI is known as asymmetric key encryption, which is comprised of two mathematically-linked random bit streams or keys – one of which is used to encrypt data, after which the other is required to perform the decryption. The private key is kept in the exclusive possession of the PKI certificate owner; while the public key, as the name infers, can be shared or published. It is the public key that is linked to the PKI Digital Certificate, which in turn is bound to the identity of the private key holder. The manner in which the keys are used is determined by which function they are performing. The simple beauty of this technology, and the thing that makes it unique, is that there are NO shared secrets. The private key is kept in the sole possession of the PKI certificate owner and cannot be derived from its associated public key.

The strength of the PKI is determined by the technical specifications of the asymmetric key encryption technology, the documentation that governs the binding of the public key to the individual identity and the protection of the infrastructure responsible for that binding. A PKI operating in a federated environment must establish a balance with the other members of the federated environment that denotes comparable levels of trust based on the technical specifications of the underlying technology and the requirements of the governing documentation.

A Bridge Certification Authority provides the means to establish that balance. It is a collection of Public Key Infrastructure components and governing documentation used to facilitate peer-to-peer interoperability among its cross-certified PKI Issuers.

In the health community, a network infrastructure element must be available to enable the recognition of digital credentials issued by multiple identity providers and to link identity providers together for the benefit of enterprises and agencies. The SAFE Identity Bridge Certification Authority is that infrastructure element.

The SAFE Identity Bridge Certification Authority (SIBCA) is a cryptographic infrastructure that enables individuals and online services to trust each other’s digital identities for high assurance electronic transactions. The SIBCA facilitates trust across multiple organizations via the approved PKI Issuers cryptographically-bound to our infrastructure through cross-certification with the SIBCA.

The SAFE Identity Bridge Trust Community is comprised of the SIBCA-certified credential issuers, the asserting organizations that utilize their services, and the organizations that rely on the resulting cryptographically-based identity assertions.


Identity credentials issued in accordance with the SAFE Identity Federated Trust requirements may be purchased from any of the following SAFE-certified credential providers.

IdenTrust Assurance Levels basicAssurance-SHA256 mediumSoftwareAssurance- SHA256 mediumHardwareAssurance- SHA256 group-mediumSoftwareAssurance-SHA256 machine-mediumSoftwareAssurance-SHA256 machine-mediumHardwareAssurance-SHA256 LEARN MORE >
Exostar Assurance Levels mediumSoftwareAssurance- SHA256 mediumHardwareAssurance- SHA256 LEARN MORE >
Trans Sped Assurance Levels mediumHardwareAssurance- SHA256 LEARN MORE >

Become a

The SAFE Identity Bridge Certification Authority (SIBCA) is an interoperability mechanism for ensuring trust across independent PKI domains. Membership in the SIBCA is available for Public Key Infrastructure (PKI) operators that can demonstrate comparability with the security principles and operational criteria of the SAFE Identity community.

PKI operators interested in attaining cross certification with the SIBCA must submit an Application for Cross-certification along with the following documentation to the SAFE Identity Policy Management Authority (PMA)

  • Certificate Policy for the Principal CA that will be cross-certified to SAFE Bridge CA
  • Key Recovery Practices Statement (KRPS) that demonstrates compliance with the SAFE Identity Key Recovery Policy (KRP) (for applicants issuing key management certificates)
  • Architectural Diagram detailing the components of the applicant’s PKI
Following SAFE Identity PMA approval of the application, the review process begins
  • Mapping the applicant’s PKI Certificate Policy against the SIBCA Certificate Policy for comparability of security and operational requirements
  • Where applicable, performing a compliance analysis of the applicant’s PKI KRPS with the SAFE Identity KRP
  • Interoperability testing of certificates issued by the applicant’s PKI
  • Reviewing the most recent Third-party Independent Audit Opinion Letter(s) pertaining to the compliance of the applicant’s PKI Certification Practices Statement (CPS) with the applicant’s PKI CP and the compliance of the applicant’s PKI Operations with the applicant’s PKI CPS
Additional documentation required in order to complete the review
  • Third Party Independent Auditor CPS Compliance Analysis Opinion letter asserting that the Applicant PKI’s Certification Practices Statement (CPS) implements the Certificate Policy (CP)
  • Third Party Independent Auditor Operational Compliance Analysis Opinion letter asserting that the Principal CA’s operations meet the requirements set forth in the associated CP/CPS
  • Certificate Artifacts for Interoperability Testing

Upon successful completion of the document review and the interoperability testing, the results are submitted to the SAFE Identity PMA for final review and approval to cross-certify. For more information or to initiate the cross-certification process

Contact Us

Rely on the SAFE Trust Framework

The integrity of digital credentials varies widely from one provider to the next. Figuring out who to trust, why to trust them and how their security aligns with your needs can be a challenge. This makes trust hard.

The SAFE Identity Trust Framework, carefully cultivated over 15 years, can make trust much easier. The Trust Framework defines the policies and standards necessary to use secure and interoperable digital credentials that meet your needs. Issuers certified by SAFE are compliant with these policies and standards, ensuring this same security and interoperability across the ecosystem – and making trust a lot simpler for you.

Are you ready to consider your next steps ?

Rely on SAFE

Get in touch with
SAFE Identity


1900 Reston Metro Plaza,
Suite 303, Reston, VA 20190