Which combination of roles is capable of creating a PIN Reset CRI via the TMS?

Pin reset in a Trusted Management System is a sensitive operation that requires a secure, multi-role partnership. The combination of roles that can create a PIN Reset CRI relies on three key functions: verifying identity, confirming the local record, and securely executing or authorizing the reset. The Registration Authority confirms the requester’s identity and approves the reset action, the Local Registration Authority handles local verification and ties the request to the correct local identity, and the Trusted Agent carries out the secure processing and enforces policy during the reset. This trio provides necessary checks and balances, reducing the risk of fraud and ensuring an auditable, controlled reset process. End users alone don’t have the authority to initiate such resets, and extending permissions to all roles would be excessive or insufficient depending on the system’s controls, so the selected combination is the appropriate balance of verification and secure execution.