Hi Sergei,
On Thu, Jul 05, 2007 at 01:26:50PM +0400, Sergei Vyshenski wrote:
> Until recently, I thought, that smartcard personalization is a
> special procedure to work around RA, during initial massive admittance
> of a crowd of new users. And that this procedure acts according
> to the database of HR.
That still (sort of) holds true, although the steps are a bit different.
I guess I'll try and describe what smartcard personalization does at the
moment and then how you could implement your scenario:
- HR sends a blank token to a user who is supposed to get a certificate
- The user logs into the smartcard personalization (preferably using
strong authentication)
- The workflow retrieves the data that is to be put into the certificate
(for example his e-mail address, his UPN, ...) from an LDAP directory
and displays (parts of) it to the user.
- The user creates a certificate request with the smartcard by clicking
on the appropriate button, which is sent to the CA
- Now we have two different cases: either the system is configured to
automatically issue the certificate (which is something you might want
to do if you have strong authentication and are thus sure that the
requestor is who he claims to be), or the request is queued for
approval. After approval by an RA, the certificate is issued
- The user installs the certificate by clicking on the appropriate
button and is done with the personalization
> 1) HR database is prepared in advance, and has special flags which
> describe rights of each user in a PKI.
You could do this by either restricting access to the PKI based on the
flag (using your own (external) authentication handler), or by
configuring the LDAP query for the certificate data accordingly.
> 2) A user visits HR, shows his face and ID, then HR girl gives him a
> brand new sealed card.
>
> 3) A user inserts this card into a special computer, while the girl
> types into in his unique name and her credentials. Thus the girl acts
> as if an RA officer, who approves his CSR. With the exception, that no
> CSR is set during this procedure.
You can let the user login using his credentials or let the "HR girl"
login as the user and do the procedure.
> 4) Special computer contacts CA with this info. CA knows about
> special status of this very computer and about status of HR girl.
> CA looks into HR database, reads flags about this particular user, and
> issues certificate.
>
> All happens without CSR and without need to teach a crowd of newcomers,
> how the whole procedure works.
As said, the easiest way would probably then be to let the HR girl do
all the work by letting here login with all user names and a special
password for example and do the personalization on the spot. Note that
with the cards we've tested, the personalization still takes a few
minutes (I'd guess 2-4, not having exact figures), so it's not really
usable if you have a long queue of users, which is one of the reasons we
wanted the users to do it themselves ...
HTH,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer
[EMAIL PROTECTED] | working @ urn:oid:1.3.6.1.4.1.11417
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
OpenXPKI-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-devel
