eID vs CAC

eID vs CAC (Common Access Card)

National eID cards and the US military Common Access Card both carry PKI certificates in a secure element and authenticate the holder's identity — but they serve different populations, different trust hierarchies, and different access control systems. Understanding this distinction clarifies why CACCACIdentityUS DoD identification smart card.Click to view → is not an eIDeIDIdentityNational ID with embedded chip.Click to view → and why eID programmes cannot simply adopt CAC infrastructure.

Overview

eID is a broad term for national electronic identity cards issued by government authorities, typically to all citizens of a country. EU eID cards comply with the eIDAS regulation, carry at least two X.509 certificates (authentication and digital signature), and are interoperable across EU member states via the eIDAS network. Each country's National Identity Authority (e.g., Bundesdruckerei in Germany, Agencia Tributaria in Spain) operates its own PKI. The card may also carry biometric data in an ICAO 9303-compatible contactless chip for border control.

CAC (Common Access Card) is the standard ID card issued by the US Department of Defense to active-duty military personnel, reservists, DoD civilian employees, and eligible contractors. The CAC carries three PKI certificates — PIVPIVIdentityUS federal identity card standard.Click to view → Authentication, Email Signing, and Email Encryption — plus a CHUID (Cardholder Unique Identifier) for physical access and a barcode. The DoD PKI hierarchy (DoD Root CA → DoD Intermediate CAs) is separate from civilian PKI. CAC also meets FIPS 201 and PIV standards, making it a PIV-compliant credential.

Key Differences

• Issuing authority: eID issued by national civil authority (open to all citizens); CAC issued exclusively by DoD (restricted to military/DoD personnel)
• PKI hierarchy: eID uses national government PKI (varies by country); CAC uses DoD PKI (DoD Root CA, NSS-validated)
• Certificates: EU eID typically carries 2 certs (auth + sig); CAC carries 3 certs (PIV auth, email sign, email encrypt)
• Physical access: eID may carry biometric data for border crossing; CAC carries CHUID for DoD facility physical access
• Interoperability: EU eIDAS enables cross-border eID acceptance; CAC is valid only within DoD/federal ecosystems
• Contactless interface: Some eIDs carry both contact and contactless; CAC is primarily a contact card (no payment antenna)
• Renewal: eID typically 5–10 years; CAC 3 years for active duty

Use Cases

eID enables:

• Citizen authentication to government e-services (tax filing, social benefits, healthcare)
• Cross-border identity verification within the EU eIDAS network
• Legally binding digital signatures on documents and contracts
• Border control (biometric verification where contactless chip is present)

CAC is used for:

• Physical access to DoD facilities, bases, and ships
• Logical access to DoD and NIPR/SIPR networks
• DoD email signing and encryption (S/MIME)
• Access to CAC-enabled government contracting portals (SAM.gov, PIEE, DLA Internet Bid Board)
• Authentication to DoD VPN and remote access infrastructure

Verdict

eID and CAC are parallel identity credential systems for different populations and trust domains. A CAC holder gains no access to EU eID services; an EU eID citizen cannot use their card at a DoD facility. Both represent mature, high-assurance PKI-based identity — the key architectural difference is that eID is civilian and interoperable by design (eIDAS), while CAC is military and restricted to the DoD trust domain by design. Countries building national eID programmes should not look to CAC as a model — PIV is the civilian federal equivalent with broader applicability.