Use of SmartCards and PKI Components

[Mike Wiseman <mike.wiseman () UTORONTO CA>]

I'd like to hear opinions or experiences regarding the implementation of PKI/SmartCard
systems - particularly for IT security applications like user authentication for VPN,
websites, applications, S/MIME usage, document signing, etc.

I'm working on a project to implement such a system to provide high 'level of assurance'
user authentication for a targetted group of users but it would be nice to support the use
of the devices more broadly for those users that need the security. I'm finding increasing
maturity in PKI/SmartCard application and platform integration. Support is available in
many commercial and open source desktop applications - even OpenSSH and Putty login
authentication via X.509 cert/key on a SmartCard is available nowadays. I'm not too
interested in using PKI components without the SC container - the institutional user
ID/password system provides for this level of security. SC and USB components are
relatively inexpensive - $30 - $50 range. The CA operation is another design choice -
whether to stand up an internal CA or use a commercial provider. I'm investigating OpenCA
at the moment which seems to provide a great deal of functionality.

Some of the issues to tackle include automated certificate/keypair renewal, whether to use
USB or SC form factors, the use of hybrid cards - multiple technologies on a sigle card
for physical security and accounting and how long the USB devices can be expected to last.

Mike


Mike Wiseman
Computing and Networking Services
University of Toronto

Attachment: smime.p7s
Description: