[SmartcardServices-Users] [Fed-Talk] Help tracing access to keys/certificates?

Fri Oct 30 06:49:34 PDT 2015

> 1. We know that at least some cards expect PIN at any Digital Signature private
> key operation. I don't know whether PKard.tokend is ready to accommodate
> those cards - and if it is, how it determines whether ‎it needs to get the PIN
> again and pass it to the card, or the card considers itself still "unlocked" and
> doesn't need PIN again. Is it when the tokend classifies the inserted token as
> PIV? Maybe you could clarify this?

All PIV DSKs require the VERIFY APDU immediately prior to the DSK key operation.  Key container access rule are pretty clearly spelled out in SP 800-73-4 Part 1.  See table 4b.  And yes, PIV.tokend supports these cards.  I have two, and they work fine.  (That said I personally use Paul's software 'cause I also have a CAC and need to use the GSC-IS model for some operations, so having a tokend that implements both models is muy convienient :). 

See also NIST IR 7863, particularly the section on key caching.  Paul's statement that PIV middleware must always collect the PIN for a DSK operation was the original intent of the spec, but has since been modified since it was found to be really inconvenient in practice.  

> 2. Is there a mechanism by which I (as a user, or as a person who can write
> data objects to the card) could tell PKard.tokend or Keychain that a given PIV
> token requires new PIN for every digital signature private key operation? Is
> there anything on the card itself that would convey this message to
> PKard.tolend? And why doesn't it happen automatically as soon as tokend
> determines that the inserted token is PIV?

See above.  If you're using the DSK conditional element, it's required to be subject to the PIN-Always rule, which is enforced by the PIV card app, so there's nothing you should need to do at personalization other than populate the PIV card application with the right key reference value. 

Also, while the CCC is a mandatory object, it's only there for GSC-IS interop.  If you're not using the GSC-IS model, then the CCC can be empty *except* for the data model value.  See SP 800-73-4 Part 1, Sec 3.1. 

-- T