Bugzilla – Bug 3555
Implement HSPD-12/PIV-II
Last modified: 2008-08-11 15:18:51
You need to log in before you can comment on or make changes to this bug.
Please implement smart card, specifically PIV-II smart card support into GLOBUS. Homeland Security Presidential Directive (HSPD) 12 mandates that federal employees and contractors will use strong authentication. FIPS 201 has chosen that strong authentication to be smart cards. GLOBUS is in an excellent position to solve the remote access problem posed by HSPD-12. As you know smart cards and GLOBUS both rely on certificates. The national laboratories are unsure how to address remote access when they must enable to smart cards The Presidents directive HSPD-12 can be seen at http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html and, FIPS-201 can be found at http://csrc.nist.gov/publications/fips/fips201/FIPS-201-022505.pdf NIST SP 800-73 (which details the smart card dialoge) can be found at http://csrc.nist.gov/publications/nistpubs/800-73/SP800-73-Final.pdf Thanks! ---- John Volmer
John - are there any open source libraries (or even a specified API) for interfacing with these cards?
Hi Von, Doug Engert tells me to ask for a PKCS 11 Interface. NIST SP 800-73 provides the precise command codes (ADPUs) to interface with the card. Some other technical work in this field includes Michigan State University: http://cse498t04s.cse.msu.edu/ Muscle Project: http://www.linuxnet.com/ --- John
One more note: PIV-II cards don't exist yet. I am planning ahead.
In May 2005 Doug Engert and I met with David Corcoran who is responsible for two WWW sites that offer smart card software: http://www.linuxnet.com (open source) and http://www.identityalliance.com (commercial) Dave participated in the HSPD-12 specification as well. I got the sense that all of the smart card open source stuff is at http://www.linuxnet.com but if you want the nicly packaged stuff you need to go to http://www.identityalliance.com. Also, Dave has done some work with Michigan State to create a PIV compliant java smart card, but I could not find the source at http://cse498t04s.cse.msu.edu/.
Oberthur has a PIV-II compliant card available for beta testing. They are seeking testers. The ADPU commands is as stated in NIST 800-73. "Over the course of a 4 week period, Oberthur looks forward to receiving your valuable feedback on our ID-One Cosmo 64K Dual Interface Card and our PIVII applet. We are hoping to hear back from you on: 1- Any issues surrounding interoperability 2- Any suggestions or insights concerning the applet and/or card 3- Any questions that you may need answered to effectively test the card 4- Any positive feedback as well" Contact: Lynn M. Rice Business Development Manager - Government & ID Oberthur Card Systems 4250 Pleasant Valley Road Chantilly, VA 20161 Tel: 703-322-8954 Cell: 703-571-239-2390 lynn.rice@oberthurcs-usa.com
Subject: Re: Implement HSPD-12/PIV-II Joe, Please see http://www.opensc-project.org/opensc/wiki/UnitedStatesPIV OpenSC provides a PKCS#11 lib that can use the PIV cards. This is the code I have been working on for the last few years, using Beta PIV cards. John's original bug report was to get Globus people aware that these cards where coming. If you can call PKCS#11 then you would be ready. bugzilla-daemon@mcs.anl.gov wrote: > http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=3555 > > > kettimut@mcs.anl.gov changed: > > What |Removed |Added > ---------------------------------------------------------------------------- > AssignedTo|kettimut@mcs.anl.gov |bester@mcs.anl.gov > > > > > > > ------- You are receiving this mail because: ------- > You are on the CC list for the bug, or are watching someone who is. > >
