[SmartcardServices-Users] Custom Smart Card Source

Bob Colbert colbert at detk.net
Tue Jul 27 07:27:50 PDT 2010 

Thanks Tim.  I know working for the government is the highest form of
personal sacrifice and ultimate achievement, but for us lowly, government
contractor swindlers (and a small business to boot with ~25 employees), this
stuff isnt easy.  Everyone wears dual hats.  If you havent figured out yet,
I am ALSO the IT guy.  This isnt my full time job.

We are basically starting off with nothing in terms of ECA digital signing
and encryption.  And since the ECA certificates are usually issued every
year, I am ok with creating a workable solution with software certificates
with Smart Cards (for portability and single-signon on desktops/notbooks)
and getting the upcoming Good Technology iphone/SMIME product until things
mature further with all of these standards documents getting updated as you
mentioned.

If I am suffering from insomnia, Ill be sure to read them cover to cover.

Bob


On 7/27/10 10:02 AM, "Miller, Timothy J." <tmiller at mitre.org> wrote:

>> Does Snow Leopard, as shipped, have that capability to create/initialize
>> the Smart Card/USB token?  If yes, can you steer me towards some
>> documentation or if not, how would you do it?
> 
> Card initialization and personalization are usually done via a secure channel;
> this basically means that security-sensitive commands such as those used to
> install applications or generate keys are encrypted under a symmetric key
> unique to a specific card (injected on the card at manufacture--key ceremonies
> for this are fun to examine if you're into that kind of thing).  These
> encrypted commands can originate on the host platform, or on another machine
> entirely (which blinds the host to the operations--very useful for card
> personalization in an enterprise environment).
> 
> As a result, initialization and personalization is very much specific to the
> card platform and the token management system.  There are a few standards;
> JCOP, GSC-IS, and NIST SP800-73 all cover different (but related) APIs that
> include initialization and personalization commands.  Just to keep things
> interesting, every card management vendor does things differently.  E.g.,
> ActivIdentity's Token Management System creates PIV-compatible cards atop JCOP
> smartcard platforms.  Cards are initialized using the JCOP API, personalized
> using the GSC-IS API, but operate using the NIST SP800-73 API.
> 
> Yes, it's a twisty maze of different standards, all similar.  :)
> 
> If you're bootstrapping a token-based PKI, it's simpler in the short run but
> more expensive in the long run to find a complete end-to-end solution from a
> single vendor--to include card supplies.  However, the trade-off vs. running
> it yourself is critically dependent on scale and card churn rates.
> 
> -- Tim
> 

---- 
Bob Colbert
DE Technologies
118 Sleepy Hollow Drive
Suite 1
Middletown, DE 19709
302-285-0354
302-285-0357 Fax
colbert at detk.net

More information about the SmartcardServices-Users mailing list