Timothy J. Miller wrote:
Todd Denniston wrote:
You are probably a little better in the know than me, so please clarify.
I thought that all the new 64K cards were coming with the PIV applet,
is that incorrect?
I just double-checked: Based on testimony, there is no 32k stock in the
issuance pipeline any more; it's all 64k now. No cards will be issued
with the PIV applet until October of this year.
Note that this is about production cards. You can certainly get test
cards with the PIV applet. In fact, the guy two desks over has one.
What we don't have is middleware (yet).
OpenSC-0.11.0 has PIV support via PKCS#11. The intent was to provide the
client side routines. But for testing the piv-tool can initialize some
test cards if you know the keys and particulars of the card you are using.
I have been testing this with a number of beta PIV cards, including the
Oberther card which matches NIST 800-73-1.
By using the piv-tool I can have the card generate a key pair, use this
to generate a certificate request, get the requests signed by a Microsoft
CA, then use the piv-tool to load the certificate to the card.
I can then use this with Windows login, using the Identity Alliance CSP,
or with IE via the CSP or Mozilla via PKCS#11. On LINUX I can use to with
Mozilla, and can even use it with Heimdal Kerberos with PKINIT via PAM to
login to LINUX using the Windows AD as the KDC. In this testing mode,
the certificate is a Windows compliant certificate and not fully PIV compliant
certificate.
If the guy two desks over from you wants to try this, have him
drop me a note.
Are you Indicating that after October, we will start having yet
another applet to build support for, i.e., the CAC bundle we are
grabbing from Apple will not work with the PIV?????
Starting in October, DoD starts issuing cards with both the CAC v2 and
PIV applets from the first upgraded DEERS/RAPIDS workstation. Transition
to PIV-only cards (i.e., no CAC applets) should start three years after
the last DEERS/RAPIDS workstation is upgraded to issue the PIV cards.
We're expecting that the total time from the October start to issuing
PIV-only cards will be ~4 years.
The current CAC bundle should work so long as there are CAC applets on
board, and that will be true for a while. Personally, I'd think it
would be easier to build a brand-new PIV plugin than to evolve the CAC
plugin, especially since PIV-transition is *only* for DoD. OGA's that
currently have no smartcard tokens start out with PIV from day one.
Oh, and the NSA can throw a wrench into this schedule at any time, just
to keep things interesting.
-- Tim
------------------------------------------------------------------------
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
