Some comments below on the questions:
On May 11, 2009, at 9:15 AM, Timothy J. Miller wrote:
Levine, Jason (NIH/NCI) [E] wrote:
For example, what questions should I ask about the type of
PIV cards we'll be getting
Ideally, no.
Some card stocks, like Oberthur PIV, are T=1 protocol only. The Default CCID driver provided-by Apple in 10.5.6 or above has the smartcard services update rolled into it that works with those cards and default CCID driver compatible readers. Versions previous to the Smartcard Services Update did not work with T=1 only cards.
(or is a PIV card specifically one type of
smartcard already)?
PIV is a data model, typically implemented in Java, residing on any
number of different cards.
Is it relevant exactly what type of certs are
encoded on the card
Aside from trusting the issuer PKI, not really unless you're doing
something *really* obscure.
The PIV Authentication certificate is used for authenticating, but if you wanted to bind to file vault, I've been told it requires the Encryption Certificate or other certificate with proper usage OID on the card.
Also it does matter what the key sizes are on the certificates. If the PIV Authentication keys are 2048, there may be issues with using the default PIV.tokend as it appears to be hardcoded for 1024 size in Leopard. See: http://smartcardservices.macosforge.org/trac/ticket/4
They have fixed the key size issue in Snow Leopard. The Snow Leopard PIV.tokend now supports 2048 key sizes, yet it is not back portable to Leopard for some reason; there must be dependancies in 10.6 that are not in 10.6.
Only workaround with Leopard for 2048 key sizes at this time for desktop login seems to be to build your own, or obtain a third party tokend.
(or again, does PIV specify the certs already)?
The cert profiles are set by the issuer within limits set by NIST and
FedPKI.
There's a hardware component (the USB reader), but there appear to be
multiple different software components as well -- how does the card
type
affect the various software parts?
Shouldn't, if the PIV tokend is working. If it isn't, try OpenSC's
SCA
package.
Shawn Geddis has a nice slide somewhere in one of his presentations that shows the structure of the major smartcard components.
For reader driver support there is the CCID driver bundle, usblib, and the pscs package; yet I have not had to mess with any of that since the Smartcard Services Update that was rolled into 10.5.6 (thanks Apple!).
I've not had any success with the OpenSC's tokend, although I have found the PKCS#11 module does work on firefox with PIV cards.
I know I'm clearly coming to this from much further down the learning
curve, but that's only because we don't yet have the smartcards/PIV
cards to use to start learning... I'd love if there were a reasonable
primer on how all the components interact.
http://csrc.nist.gov/groups/SNS/piv/index.html
In case my testing with readers and PIV cards on OS X might be useful to others:
Here are some GSA approved readers that have been tested to work with T=1 PIV cards and the default CCID driver provided by Apple in 10.5.6 and above, with no additional reader drivers needed.
For mobile systems the slim form-factor models: - Gemalto PC Twin - OmniKey Cardman 3021 - SCR 3310
Other choices (not as small) would be: - SCR 331 - Omnikey Cardman 3121 - Gemalto PC USB-SL Reader
For desktop readers that do not need to travel: - SCR3311 - has weighted base - Gemalto PC Twin - has non-weighted base - Omnikey 3121 - has optional weighted base
Note on ActivIdentity Readers: AFAIK the ActivIdentity models have always needed an ActivIdentity smartcard reader driver installed for them to work; they don't work with the default CCID driver provided by Apple. You would need to obtain the reader driver for 10.5.x from ActivIdentity and install it to use those devices.
The ActivIdentity readers appear to be the same hardware as the SCR-331 readers with custom ActivIdentity firmware. There is a good possibility that, theoretically, you could just flash the AI reader with the 5.25 Firmware from SCM Microsystems to effectively turn it into a SCR-331. I'm not recommending this, just pointing out that it might be a possibility.
Ridley DiSiena NASA Desktop Smartcard Integration (DSI)
|