Information for vendors presenting smart card products to the security token working group (STWG).

Background Information

This section gives potential vendors a brief summary of what we are doing and what we want.

Virginia Tech is in the process of issuing smart cards/tokens to all faculty
and staff (approximately 6500 users).  The Aladdin eToken was selected for
this phase of the project.  The scope of this phase is fairly limited and
only requires support for signing documents with a web browser under
MS Windows, Linux, and OS X.

Evaluation of smart devices will be an ongoing process.  We would like to
support several devices if practical.  Our current expectation is to replace
the Aladdin eTokens in three to five years and we would like to conduct small
deployments of alternate devices during that time.

The university has 25,000+ students.  While there is no firm plan to
distribute smart devices to them at this time, experience with the current
phase of deployment may demonstrate enough benefit that this will occur.

To the extent practical, we want:
* a commodity product, i.e. standards-based and as interchangeable with
  similar products as practical.
* vendor, platform, and operating system neutrality.
* open availability of technical information, e.g. developer's web site
  or wiki.
* support in open-source products such as OpenSSL and OpenSC, and GnuPG

Also note that:
* Our token management system is a locally developed application which
  interfaces with a backend OpenCA certification authority to support
  personal certificate enrollment.

Please include Phil Benchoff (benchoff@vt.edu) and
Frank Galligan (frankg@vt.edu) on any follow up communications
related to this project.

Specific Questions and Presentation Topics

This section outlines the topics we would like covered in a more detailed presentaion from a vendor.

  • Show us where a developer wanting to integrate support into something like OpenSC, OpenCA or OpenXPKI would to get the information required.
  • Show the components required for an individual to purchase a token and actually use it, i.e. format utilities, etc.
  • What is the FIPS rating of the device?
  • Does the device meet ISO 7816-1,2,3,4 standards?
  • Is onboard key generation supported.
  • What public  key sizes are supported?
  • What is  the storage capacity?
  • Do any of the devices support Javacard?
  • What encryption and message digest algorithms are supported?
  • Is there  a SDK available? For what platforms and APIs?

Platform Support

Generic

  • Signing with web browser
  • Authentication with web browser
  • E-mail signing
  • E-mail encryption
  • PKCS#11
  • PKCS#15

Linux

  • Required: PKCS#11 module for use with Firefox/Mozilla/Netscape
  • OpenSSL
  • GnuPG
  • OpenSC/OpenCT
  • PCSC-lite
  • OpenSSH
  • PAM
  • KDE

MAC

  • Required: CDSA (Common Data Security Architecture) support for Safari and Mac Mail
  • Required: PKCS#11 module for use with Firefox/Mozilla/Netscape
  • tokend support?
  • PB: Mac folks: put something here if you want it to be supported.

MS Windows

  • Required: Cryptographic API (CAPI)?
  • Required: PKCS#11 module for use with Firefox/Mozilla/Netscape
  • Component Object Model (COM)?
  • Active X?
  • GINA?
  • PB: Windows folks: put something here if you want it to be supported.

Custom applications

  • For any custom add-on applications (e.g. web password storage) explain the data format and demonstrate backup,
    export, and import of the data in a useful format (e.g. text, XML, etc.) that could be imported or exported to/from another similar application.

Hardware

  • Available in both USB and card form factor?

Add-ons

  • Flash drive
  • Biometric reader
  • Mag stripes

Support

  • Online problem report entry and update
  • Online issue tracking
  • Download of drivers and related software
  • Access to knowledge base
  • Escalation procedures

Technical Information

Documentation

  • API

Development Community

  • Web site/Forum/Wiki

Source Code

  • Developer's kit
  • No labels