Does anyone know of a company that can provide custom printed Smart Cards for company PhotoIDs. In addition, I would hope that the provided Smart Card would be compatible with the current state of SmartCard support and with a working tokend for Snow Leopard. I understand that part of it is choosing an already supported reader. Apparently, I have discovered with my current ActivIdentity USB token that the reader portion of the token is supported, however the card profile needs to be updated to properly read the certificates from the USB token. The Smart Card should have the capability for supporting the External Certification Authority type certificates - http://iase.disa.mil/pki/eca/ . Another capability would be that the Smart Card is compatible with ActivClient for Windows for key generation and/or certificate import. Unless there is another way under Snow Leopard to generate key requests on the card or otherwise import software certificates onto them? Thanks, Bob Colbert
At least one ECA authority issues smartcards, but ECA smartcards are not intended to be employee badges, and the ECA vendors don't generally support issuing to entire companies. That's not what the ECA program is for. If you're wanting to deploy a corporate PKI that's interoperable with the DoD and/or Federal PIV systems, you need to spend some quality time with the _PIV Interoperability for Non-Federal Issuers_ specification: http://www.cio.gov/Documents/PIV_Interoperabillity_Non-Federal_Issuers_May-2... What you're really asking for is a share service provider (SSP). An SSP is someone who would issue your ID cards for you, and handle cross-certification, ID vetting, etc.; the Federal PIV program has several operating SSPs, but they can only issue to Federal agencies. I'm not aware of any non-Federal PIV-I shared service providers currently operating, but they are expected to arise. -- Tim
-----Original Message----- From: smartcardservices-users-bounces@lists.macosforge.org [mailto:smartcardservices-users-bounces@lists.macosforge.org] On Behalf Of Bob Colbert Sent: Monday, July 26, 2010 10:29 AM To: SmartcardServices-Users@lists.macosforge.org Subject: [SmartcardServices-Users] Custom Smart Card Source
Does anyone know of a company that can provide custom printed Smart Cards for company PhotoIDs. In addition, I would hope that the provided Smart Card would be compatible with the current state of SmartCard support and with a working tokend for Snow Leopard. I understand that part of it is choosing an already supported reader. Apparently, I have discovered with my current ActivIdentity USB token that the reader portion of the token is supported, however the card profile needs to be updated to properly read the certificates from the USB token.
The Smart Card should have the capability for supporting the External Certification Authority type certificates - http://iase.disa.mil/pki/eca/ . Another capability would be that the Smart Card is compatible with ActivClient for Windows for key generation and/or certificate import. Unless there is another way under Snow Leopard to generate key requests on the card or otherwise import software certificates onto them?
Thanks, Bob Colbert
Tim, I understand that the ECA program Smart Card solution is not originally intended for corporate ID like a CAC Card, but I believe the FiXs program is meant to provide a CAC-like card authentication with hardware assurance ECA certificates on board. The reason that I ask is that Good Technology (according to one of their webinars) is releasing an updated iPhone (and Android) product that will include S/MIME encryption in the Fall timeframe. Their previous S/MIME product was for Windows Mobile devices and used bluetooth card readers for the CAC card. Early indications (I am trying to clarify with them) is that may only support software-only certificates (at least initially). The ECA certs can be renewed in 1 year increments, so I thought I would just get software certificates and put them on a Smart Card. And just simplify the number of cards and stuff on my person and wallet, combining this card with a photo ID. Ultimately, I think the FiXs program for DoD contractors is probably the best approach long term, but getting acceptance for it at all DoD facilities is holding things up. In addition, there needs to be a mobile device solution for these hardware type certificates. It is getting more annoying as encrypted email is becoming more pervasive to keep getting "this email cannot be read on this device" on the iphone. Without starting a flame war, I know Blackberries do this now, but I like the overall Good Technology approach in that workers can use their personal devices wherein the Good application is sandboxed and corporate-controlled. Thanks, Bob On 7/26/10 12:25 PM, "Miller, Timothy J." <tmiller@mitre.org> wrote:
At least one ECA authority issues smartcards, but ECA smartcards are not intended to be employee badges, and the ECA vendors don't generally support issuing to entire companies. That's not what the ECA program is for.
If you're wanting to deploy a corporate PKI that's interoperable with the DoD and/or Federal PIV systems, you need to spend some quality time with the _PIV Interoperability for Non-Federal Issuers_ specification:
http://www.cio.gov/Documents/PIV_Interoperabillity_Non-Federal_Issuers_May-2... 9.pdf
What you're really asking for is a share service provider (SSP). An SSP is someone who would issue your ID cards for you, and handle cross-certification, ID vetting, etc.; the Federal PIV program has several operating SSPs, but they can only issue to Federal agencies. I'm not aware of any non-Federal PIV-I shared service providers currently operating, but they are expected to arise.
-- Tim
-----Original Message----- From: smartcardservices-users-bounces@lists.macosforge.org [mailto:smartcardservices-users-bounces@lists.macosforge.org] On Behalf Of Bob Colbert Sent: Monday, July 26, 2010 10:29 AM To: SmartcardServices-Users@lists.macosforge.org Subject: [SmartcardServices-Users] Custom Smart Card Source
Does anyone know of a company that can provide custom printed Smart Cards for company PhotoIDs. In addition, I would hope that the provided Smart Card would be compatible with the current state of SmartCard support and with a working tokend for Snow Leopard. I understand that part of it is choosing an already supported reader. Apparently, I have discovered with my current ActivIdentity USB token that the reader portion of the token is supported, however the card profile needs to be updated to properly read the certificates from the USB token.
The Smart Card should have the capability for supporting the External Certification Authority type certificates - http://iase.disa.mil/pki/eca/ . Another capability would be that the Smart Card is compatible with ActivClient for Windows for key generation and/or certificate import. Unless there is another way under Snow Leopard to generate key requests on the card or otherwise import software certificates onto them?
Thanks, Bob Colbert
---- Bob Colbert DE Technologies 118 Sleepy Hollow Drive Suite 1 Middletown, DE 19709 302-285-0354 302-285-0357 Fax colbert@detk.net
I understand that the ECA program Smart Card solution is not originally intended for corporate ID like a CAC Card, but I believe the FiXs program is meant to provide a CAC-like card authentication with hardware assurance ECA certificates on board.
Not quite. FiX (an acronym no longer used, AFAICT) is intended to show non-Federal partners how to produce cards that are technically compatible with the PIV platform, and provide a path to meet all FIPS 201 identity assurance requirements.
The reason that I ask is that Good Technology (according to one of their webinars) is releasing an updated iPhone (and Android) product that will include S/MIME encryption in the Fall timeframe. Their previous S/MIME product was for Windows Mobile devices and used bluetooth card readers for the CAC card. Early indications (I am trying to clarify with them) is that may only support software-only certificates (at least initially).
Everything I've heard is pretty much the same: smartcard support is intended for the product, but the only info I can glean on status indicates they won't initially make that goal. It's been awhile since I've had Good in for a chat, though.
The ECA certs can be renewed in 1 year increments, so I thought I would just get software certificates and put them on a Smart Card. And just simplify the number of cards and stuff on my person and wallet, combining this card with a photo ID.
This won't help you with Good's software suite if it ships without smartcard support.
Ultimately, I think the FiXs program for DoD contractors is probably the best approach long term, but getting acceptance for it at all DoD facilities is holding things up.
Requirements for interoperation with non-Federal PKIs was clarified via DoD CIO memo last year, and is being incorporated into the DoDI 8520.02 reissuance currently being circulated.
In addition, there needs to be a mobile device solution for these hardware type certificates. It is getting more annoying as encrypted email is becoming more pervasive to keep getting "this email cannot be read on this device" on the iphone.
This is a separate problem from PKI interop. -- Tim
On Jul 26, 2010, at 11:28 AM, Bob Colbert wrote:
Does anyone know of a company that can provide custom printed Smart Cards for company PhotoIDs. In addition, I would hope that the provided Smart Card would be compatible with the current state of SmartCard support and with a working tokend for Snow Leopard. I understand that part of it is choosing an already supported reader. Apparently, I have discovered with my current ActivIdentity USB token that the reader portion of the token is supported, however the card profile needs to be updated to properly read the certificates from the USB token.
The Smart Card should have the capability for supporting the External Certification Authority type certificates - http://iase.disa.mil/pki/eca/ . Another capability would be that the Smart Card is compatible with ActivClient for Windows for key generation and/or certificate import. Unless there is another way under Snow Leopard to generate key requests on the card or otherwise import software certificates onto them?
Thanks, Bob Colbert
Bob, I think has already given you excellent guidance and feedback, but I wanted to note a few things in your message for the benefit of all.
I would hope that the provided Smart Card would be compatible with the current state of SmartCard support and with a working tokend for Snow Leopard.
That is not very specific. Are you asking for specific profile support with support in the shipping version of the OS or from various sources ? Many Smart Card vendors have a Tokend for 10.6 and will of course make it available when needed.
I understand that part of it is choosing an already supported reader.
Yes, but there are nearly 130 readers supported with the CCID Class Driver in Mac OS X 10.6 and with an update to the CCID Driver, many more to come. As you noted, the reader is part of the equation and the profile on the card (typically implemented as a Java Applet) is the other major component.
The Smart Card should have the capability for supporting the External Certification Authority type certificates - http://iase.disa.mil/pki/eca/
The X.509 Identities are not the issue as we know, it is access / support for the profile / applet.
Another capability would be that the Smart Card is compatible with ActivClient for Windows for key generation and/or certificate import.
You are making reference to wanting the cards to be compatible with your ActivClient for Windows which means that you are issuing cards from ActvIdentity. You should simply talk to you rep and learn what profile is loaded on the cards you are using on windows. What you are referencing is really a Card Management system which can provision and manage the cards. You would just follow with acquiring a Tokend from ActivIdentity if that is what you wanted. My personal suggestion is that you consider a PIV compliant card issuance, since both Apple (Mac OS X) and Microsoft (Windows 7) have built-in support for PIV. There are a couple variances of PIV, but going down this path ensures that you have something standards-based supported on both platforms. Just a suggestion and not a requirement. -Shawn __________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer geddis@apple.com MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
Shawn, I admit that I don't fully understand the intricacies of how the Smart Cards work with each OS. The part that i don't understand is what tool would i use to generate keys on the Smart Card if i only had access to Snow Leopard? When i first obtained my Hardware Assurance token from my ECA vendor, it was a USB token from ActivIdentity that was initially setup using ActivClient 6.1. They also offer a Smart Card from Oberthur that i would also assume would use ActivClient to create the card profile, create the PIN, generate the keys, and then finally put the certificates on the card. Earlier posts on this list indicate that the SmartCard from Oberthur works in Snow Leopard, whereas I noted a few weeks back (and you confirmed), that the ActivIdentity USB token profile is not properly read; I can unlock the card though. Does Snow Leopard, as shipped, have that capability to create/initialize the Smart Card/USB token? If yes, can you steer me towards some documentation or if not, how would you do it? Sorry for being dense with this. Bob Colbert On Jul 26, 2010, at 5:43 PM, "Shawn A. Geddis" <geddis@mac.com<mailto:geddis@mac.com>> wrote: On Jul 26, 2010, at 11:28 AM, Bob Colbert wrote: Does anyone know of a company that can provide custom printed Smart Cards for company PhotoIDs. In addition, I would hope that the provided Smart Card would be compatible with the current state of SmartCard support and with a working tokend for Snow Leopard. I understand that part of it is choosing an already supported reader. Apparently, I have discovered with my current ActivIdentity USB token that the reader portion of the token is supported, however the card profile needs to be updated to properly read the certificates from the USB token. The Smart Card should have the capability for supporting the External Certification Authority type certificates - http://iase.disa.mil/pki/eca/ . Another capability would be that the Smart Card is compatible with ActivClient for Windows for key generation and/or certificate import. Unless there is another way under Snow Leopard to generate key requests on the card or otherwise import software certificates onto them? Thanks, Bob Colbert Bob, I think has already given you excellent guidance and feedback, but I wanted to note a few things in your message for the benefit of all. I would hope that the provided Smart Card would be compatible with the current state of SmartCard support and with a working tokend for Snow Leopard. That is not very specific. Are you asking for specific profile support with support in the shipping version of the OS or from various sources ? Many Smart Card vendors have a Tokend for 10.6 and will of course make it available when needed. I understand that part of it is choosing an already supported reader. Yes, but there are nearly 130 readers supported with the CCID Class Driver in Mac OS X 10.6 and with an update to the CCID Driver, many more to come. As you noted, the reader is part of the equation and the profile on the card (typically implemented as a Java Applet) is the other major component. The Smart Card should have the capability for supporting the External Certification Authority type certificates - http://iase.disa.mil/pki/eca/ The X.509 Identities are not the issue as we know, it is access / support for the profile / applet. Another capability would be that the Smart Card is compatible with ActivClient for Windows for key generation and/or certificate import. You are making reference to wanting the cards to be compatible with your ActivClient for Windows which means that you are issuing cards from ActvIdentity. You should simply talk to you rep and learn what profile is loaded on the cards you are using on windows. What you are referencing is really a Card Management system which can provision and manage the cards. You would just follow with acquiring a Tokend from ActivIdentity if that is what you wanted. My personal suggestion is that you consider a PIV compliant card issuance, since both Apple (Mac OS X) and Microsoft (Windows 7) have built-in support for PIV. There are a couple variances of PIV, but going down this path ensures that you have something standards-based supported on both platforms. Just a suggestion and not a requirement. -Shawn __________________________________________________ Shawn Geddis <mailto:geddis@mac.com> geddis@mac.com<mailto:geddis@mac.com> Security Consulting Engineer <mailto:geddis@apple.com> geddis@apple.com<mailto:geddis@apple.com> MacOSForge Project Lead: Smart Card Services Web: <http://smartcardservices.macosforge.org/> http://smartcardservices.macosforge.org/ Lists: <http://lists.macosforge.org/mailman/listinfo> http://lists.macosforge.org/mailman/listinfo __________________________________________________
Does Snow Leopard, as shipped, have that capability to create/initialize the Smart Card/USB token? If yes, can you steer me towards some documentation or if not, how would you do it?
Card initialization and personalization are usually done via a secure channel; this basically means that security-sensitive commands such as those used to install applications or generate keys are encrypted under a symmetric key unique to a specific card (injected on the card at manufacture--key ceremonies for this are fun to examine if you're into that kind of thing). These encrypted commands can originate on the host platform, or on another machine entirely (which blinds the host to the operations--very useful for card personalization in an enterprise environment). As a result, initialization and personalization is very much specific to the card platform and the token management system. There are a few standards; JCOP, GSC-IS, and NIST SP800-73 all cover different (but related) APIs that include initialization and personalization commands. Just to keep things interesting, every card management vendor does things differently. E.g., ActivIdentity's Token Management System creates PIV-compatible cards atop JCOP smartcard platforms. Cards are initialized using the JCOP API, personalized using the GSC-IS API, but operate using the NIST SP800-73 API. Yes, it's a twisty maze of different standards, all similar. :) If you're bootstrapping a token-based PKI, it's simpler in the short run but more expensive in the long run to find a complete end-to-end solution from a single vendor--to include card supplies. However, the trade-off vs. running it yourself is critically dependent on scale and card churn rates. -- Tim
Thanks Tim. I know working for the government is the highest form of personal sacrifice and ultimate achievement, but for us lowly, government contractor swindlers (and a small business to boot with ~25 employees), this stuff isnt easy. Everyone wears dual hats. If you havent figured out yet, I am ALSO the IT guy. This isnt my full time job. We are basically starting off with nothing in terms of ECA digital signing and encryption. And since the ECA certificates are usually issued every year, I am ok with creating a workable solution with software certificates with Smart Cards (for portability and single-signon on desktops/notbooks) and getting the upcoming Good Technology iphone/SMIME product until things mature further with all of these standards documents getting updated as you mentioned. If I am suffering from insomnia, Ill be sure to read them cover to cover. Bob On 7/27/10 10:02 AM, "Miller, Timothy J." <tmiller@mitre.org> wrote:
Does Snow Leopard, as shipped, have that capability to create/initialize the Smart Card/USB token? If yes, can you steer me towards some documentation or if not, how would you do it?
Card initialization and personalization are usually done via a secure channel; this basically means that security-sensitive commands such as those used to install applications or generate keys are encrypted under a symmetric key unique to a specific card (injected on the card at manufacture--key ceremonies for this are fun to examine if you're into that kind of thing). These encrypted commands can originate on the host platform, or on another machine entirely (which blinds the host to the operations--very useful for card personalization in an enterprise environment).
As a result, initialization and personalization is very much specific to the card platform and the token management system. There are a few standards; JCOP, GSC-IS, and NIST SP800-73 all cover different (but related) APIs that include initialization and personalization commands. Just to keep things interesting, every card management vendor does things differently. E.g., ActivIdentity's Token Management System creates PIV-compatible cards atop JCOP smartcard platforms. Cards are initialized using the JCOP API, personalized using the GSC-IS API, but operate using the NIST SP800-73 API.
Yes, it's a twisty maze of different standards, all similar. :)
If you're bootstrapping a token-based PKI, it's simpler in the short run but more expensive in the long run to find a complete end-to-end solution from a single vendor--to include card supplies. However, the trade-off vs. running it yourself is critically dependent on scale and card churn rates.
-- Tim
---- Bob Colbert DE Technologies 118 Sleepy Hollow Drive Suite 1 Middletown, DE 19709 302-285-0354 302-285-0357 Fax colbert@detk.net
participants (3)
-
Bob Colbert
-
Miller, Timothy J.
-
Shawn A. Geddis