2011-11-01 19:01 AEST by Arthur Barrett - The :sspi: client protocol should support smartcard (FIPS 140 PIV) and the use of it should be 
documented.

Basically FIPS 140 PIV is the use of an RSA key on a smartcard that is accessed by a vendor specific API. 

Note: the smartcard may require a PIN each time the RSA key is accessed, so this authentication 
technique probably relies on the use of CVSAgent to cache the credentials.

 
Note: This is discussed briefly in the 2.5.02.2048 release notes - that added native schannel for 
windows SSPI (bug 5747 later added this for sserver on 2.5.05).

Aug 4, 2005:
* Support Schannel SSPI (disabled by default).  Given a Win2003 CA, and valid server & user certificates, 
this allow login by certificate/ssl encryption over SSPI. 
  
So assuming the server had a usable certificate and the client was capable of pulling the certificate off 
the smartcard, then SSPI could work with FIPS 140 PIV.

2012-02-13 09:27 AEST by Arthur Barrett - Created an attachment (id=2315)
technical brochure of smartcard

It appears there are two API's:
* Microsoft CryptoAPI (used by Internet Explorer and Outlook)
* PKCS11 stack (used by Mozilla FireFox)

Gemalto have a range of cards (TOP is the product D - dual interface, W
dual+contactless comes in (L)arge and (M)edium memory sizes, eg: TOP-DL):
http://www.gemalto.com/products/piv_card/product_brief.html

That can be purchased online:
http://boutique.gemalto.com/boutique/GEMALTO-B2CCORP-Site/2CATEGORY6Cards/cat-WFS-en_US-EUR-FQ0KAwOEwAYAAAEyU.8k5Pxo

2012-02-13 09:44 AEST by Arthur Barrett - Created an attachment (id=2316)
CT-API

It appears there are more than two API's:
* Microsoft CryptoAPI (used by Internet Explorer and Outlook)
* PKCS11 stack (used by Mozilla FireFox)
* CT-API
http://www.linuxnet.com/documentation/files/ctapi-howto.html


Note: some interesting background info here (gemplus is now gemalco):
http://technet.microsoft.com/en-us/library/dd277362.aspx

2012-02-13 10:01 AEST by Arthur Barrett - To test/use the gemalco card I may need:
* ActivIdentity ActivClient - client software
* ActivIdentity AAA 4TRESS - LDAP software

I don't think these are really needed for testing since they are not part of the authentication toolchain:
* ActivIdentity Universal Enterprise Access - more about issuing cards?
* ActivID Card Management System (CMS) - like RSA Securid, more about securing the session

See:
http://www.actividentity.com/products/credentialmanagement/ActivIDCardManagementSystem/
and:
http://www.actividentity.com/products/securityclients/ActivIdentitySecureLoginSingleSignOn/


Fortunately it appears that there are trial versions:
http://www.actividentity.com/resources/evaluation/

2012-02-13 10:31 AEST by Arthur Barrett - Microsoft Identity Lifecycle Manager (CLM 2007) may be an alternative to do Card Mamagement, it 
supports Global Secure Channel Protocol SCP 01...