Levels (classes) of trust defined

Digital Certificates are not all equal. They can contain 4 different levels (or classes) of trust as outlined in this excerpt from the Federal Government. You can read the entire document at http://www.archives.gov/records-mgmt/policy/pki.html .
4.4 Linking of PKI Records to Assurance and Authentication Levels [1]
The type and number of PKI digitally signed transaction records that may need to be retained to establish trustworthiness over time will be influenced by the selected assurance level that results from the agency's risk assessment. This section discusses how the assurance levels set forth by OMB and the authentication processes set forth by NIST for electronic transactions may influence the type and amount of PKI transaction records that should be retained and managed.
OMB issued the Memorandum on E-Authentication Guidance for Federal Agencies on December 16, 2003 (M-04-04). This memorandum identified four assurance levels that are based on the confidence level that is required regarding the validity of the asserted identity of the electronic signature applied to a transaction. NIST issued the Electronic Authentication Guideline, Special Publication 800-63, as technical guidance supplementing the OMB M-04-04 E-Authentication Guidance.
Table 1, Summary of Assurance Levels and Technical Authentication Guidance, presents a summary of the OMB assurance level and NIST authentication level guidance. This summary is provided as background regarding both the potential applicability of PKI at each assurance level and as a baseline for determining the records that may need to be retained as part of the Trust Documentation Set for PKI digital signature authenticated and secured electronic transactions.
Table 1. Summary of Assurance Levels and Technical Authentication Guidance

Identity Assurance Level	OMB M-04-04 E-Authentication Guidance (required confidence level)	NIST 800-63 Electronic Authentication Guideline (electronic authentication requirements)	PKI Applicability
1	Little or no confidence in the asserted identity's validity	No identity proofing is required at this level. Although an authentication mechanism provides some assurance that the same claimant is accessing the protected transaction, there is not a requirement at this level to use FIPS-approved cryptographic techniques.	Optional
2	Some confidence in the asserted identity's validity.	Authentication requires that the claimant prove through a secure authentication protocol that he or she controls the token. Level 2 requires identity proofing but does not require FIPS-approved cryptography. It allows any of the token methods of levels 3 and 4, as well as passwords and PINs.	Yes
3	High confidence in the asserted identity's validity.	Level 3 authentication requires cryptographic strength mechanisms that protect the primary authentication token against compromise. Relying parties must determine which data requires authentication or confidentiality protection and are not required to authenticate or encrypt all data transferred. Authentication requires that the claimant prove through a secure authentication protocol that he or she controls the token.	Yes
4	Very high confidence in the asserted identity's validity.	Requires strong cryptographic authentication of all parties and all sensitive data transfers between parties. Strong, FIPS-approved cryptographic techniques are used for all operations.	Yes

The four assurance levels (Rudimentary, Basic, Medium, and High) identified in X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA)⁹ essentially map to the four OMB assurance levels and the four NIST levels of authentication where PKI technology is used to authenticate and secure the transaction content, as indicated in table 2.

---

[1] Records Management Guidance For PKI Digital Signature Authenticated and Secured Transaction Records, http://www.archives.gov/records-mgmt/policy/pki.html#4-4-1