This discussion focuses on supporting alternate tokens to issue VT User CA certificates and manage them with TAS.

Motivation

Current token requirements are fairly limited, mostly signing data via a PKCS#11 provider. There is plenty of opportunity for individuals or departments to use them for other things which often require add-on software or a different model of token.
Having multiple tokens in place will help encourage competition among the vendors.

Token Requirements

TAS

The token administration system (TAS) must support any token used for issuing VT User CA certificates.

Most of this discussion relates to TAS version 2, which provides a much better facility for integrating multiple tokens. TAS 2 is in development now. Need a guess at release time frame.

• There must be a PKCS#11 provider for the token. This is the key integration requirement for TAS.
• There may be other functionality required related to personalizing or issuing. TAS supports adding this functionality via a plug in architecture. The vendor must make this information available for integration into TAS.

CA Policy

• FIPS 140-2 Level 2

Support

Cost