Thanks Tim. I know working for the government is the highest form of personal sacrifice and ultimate achievement, but for us lowly, government contractor swindlers (and a small business to boot with ~25 employees), this stuff isnt easy. Everyone wears dual hats. If you havent figured out yet, I am ALSO the IT guy. This isnt my full time job. We are basically starting off with nothing in terms of ECA digital signing and encryption. And since the ECA certificates are usually issued every year, I am ok with creating a workable solution with software certificates with Smart Cards (for portability and single-signon on desktops/notbooks) and getting the upcoming Good Technology iphone/SMIME product until things mature further with all of these standards documents getting updated as you mentioned. If I am suffering from insomnia, Ill be sure to read them cover to cover. Bob On 7/27/10 10:02 AM, "Miller, Timothy J." <tmiller@mitre.org> wrote:
Does Snow Leopard, as shipped, have that capability to create/initialize the Smart Card/USB token? If yes, can you steer me towards some documentation or if not, how would you do it?
Card initialization and personalization are usually done via a secure channel; this basically means that security-sensitive commands such as those used to install applications or generate keys are encrypted under a symmetric key unique to a specific card (injected on the card at manufacture--key ceremonies for this are fun to examine if you're into that kind of thing). These encrypted commands can originate on the host platform, or on another machine entirely (which blinds the host to the operations--very useful for card personalization in an enterprise environment).
As a result, initialization and personalization is very much specific to the card platform and the token management system. There are a few standards; JCOP, GSC-IS, and NIST SP800-73 all cover different (but related) APIs that include initialization and personalization commands. Just to keep things interesting, every card management vendor does things differently. E.g., ActivIdentity's Token Management System creates PIV-compatible cards atop JCOP smartcard platforms. Cards are initialized using the JCOP API, personalized using the GSC-IS API, but operate using the NIST SP800-73 API.
Yes, it's a twisty maze of different standards, all similar. :)
If you're bootstrapping a token-based PKI, it's simpler in the short run but more expensive in the long run to find a complete end-to-end solution from a single vendor--to include card supplies. However, the trade-off vs. running it yourself is critically dependent on scale and card churn rates.
-- Tim
---- Bob Colbert DE Technologies 118 Sleepy Hollow Drive Suite 1 Middletown, DE 19709 302-285-0354 302-285-0357 Fax colbert@detk.net