View Source

Info to give vendors on what they should tell us about.

Information for vendors presenting smart card products to the security token working group (STWG).

Background Information

This section gives potential vendors a brief summary of what we are doing and what we want.

Virginia Tech is in the process of issuing smart cards/tokens to all faculty
and staff (approximately 6500 users).  The Aladdin eToken was selected for
this phase of the project.  The scope of this phase is fairly limited and
only requires support for signing documents with a web browser under
MS Windows, Linux, and OS X.

Evaluation of smart devices will be an ongoing process.  We would like to
support several devices if practical.  Our current expectation is to replace
the Aladdin eTokens in three to five years and we would like to conduct small
deployments of alternate devices during that time.

The university has 25,000+ students.  While there is no firm plan to
distribute smart devices to them at this time, experience with the current
phase of deployment may demonstrate enough benefit that this will occur.

To the extent practical, we want:
* a commodity product, i.e. standards-based and as interchangeable with
  similar products as practical.
* vendor, platform, and operating system neutrality.
* open availability of technical information, e.g. developer's web site
  or wiki.
* support in open-source products such as OpenSSL and OpenSC, and GnuPG

Also note that:
* Our token management system is a locally developed application which
  interfaces with a backend OpenCA certification authority to support
  personal certificate enrollment.

Please include Phil Benchoff (benchoff@vt.edu) and
Frank Galligan (frankg@vt.edu) on any follow up communications
related to this project.

Specific Questions and Presentation Topics

This section outlines the topics we would like covered in a more detailed presentaion from a vendor.

Show us where a developer wanting to integrate support into something like OpenSC, OpenCA or OpenXPKI would to get the information required.
Show the components required for an individual to purchase a token and actually use it, i.e. format utilities, etc.
What is the FIPS rating of the device?
Does the device meet ISO 7816-1,2,3,4 standards?
Is onboard key generation supported.
What public key sizes are supported?
What is the storage capacity?
Do any of the devices support Javacard?
What encryption and message digest algorithms are supported?
Is there a SDK available? For what platforms and APIs?

Platform Support

Generic

Signing with web browser
Authentication with web browser
E-mail signing
E-mail encryption
PKCS#11
PKCS#15

Linux

Required: PKCS#11 module for use with Firefox/Mozilla/Netscape
OpenSSL
GnuPG
OpenSC/OpenCT
PCSC-lite
OpenSSH
PAM
KDE

MAC

Required: CDSA (Common Data Security Architecture) support for Safari and Mac Mail

Required: PKCS#11 module for use with Firefox/Mozilla/Netscape

tokend support?
PB: Mac folks: put something here if you want it to be supported.

MS Windows

Required: Cryptographic API (CAPI)?

Required: PKCS#11 module for use with Firefox/Mozilla/Netscape

Component Object Model (COM)?
Active X?
GINA?
PB: Windows folks: put something here if you want it to be supported.

Custom applications

For any custom add-on applications (e.g. web password storage) explain the data format and demonstrate backup,
export, and import of the data in a useful format (e.g. text, XML, etc.) that could be imported or exported to/from another similar application.

Hardware

Available in both USB and card form factor?

Add-ons

Flash drive
Biometric reader
Mag stripes

Support

Online problem report entry and update
Online issue tracking
Download of drivers and related software
Access to knowledge base
Escalation procedures

Technical Information

Documentation

API

Development Community

Web site/Forum/Wiki

Source Code

Developer's kit