> -----Original Message----- > From: gunslingor gunslingorsadf > Sent: Thursday, December 19, 2019 7:51 AM > To: [email protected] > > This are the kind of cards in use: https://www.cac.mil/common-access- > card/
You are using the JITC test cards - http://jitc.fhu.disa.mil/projects/pki/pki_lab/obtaining_test_common_access_cards.aspx [https not happy right now, use curl? Or access via NIPRNet] > > There are multiple types of distribution we do: Client Side Apps, Server > based web pages and some special ones. Everything is java on the backend > and JS on the front end, even client apps. The web crypto API is incomplete - having same issue of signing in the browser right now, patch to firefox is in our backlog. Work around is local client software. > No matter what package we > release, they all use cards like these to login, sign PDFs and > similar... > the private key shouldn't CANNOT leave the smartcard I agree. What I don't know > is how these cards really work because I don't have access to them, but Get a PIV key to work with - https://www.amazon.com/Taglio-Certificate-Authentication-Identification-Contactless/dp/B00SJV2CNK Some clients also have HID ActivClient 7.x middleware on windows (not really needed) - https://www.scbsolutions.com/express/product_info.php?cPath=32&products_id=125 Linux is a different story - google it, no idea about MAC. > I know internet isn't required to use them and rarely is available on > the client side apps. I have seen the end user sign a PDF with acrobat > reader and they seem to do it normally, with a certificate selector. Acrobat on windows - user sets up security settings, selects certificate matching card, windows API prompts for pin. > I > would guess that these cards act as a sort of keystore themselves and Yes, but I would not phrase it that way. They are an "external cryptographic provider" and are almost always configured to never let the private keys leave the device and require a security pin to perform privileged operations (e.g. use private key) > the clients have special software installed that Not really needed these days, but see above. > , when the card is > inserted and authenticated, grants access to the certificate and perhaps > imports them into the windows keystore Yes, the middleware can help with that. But modern OS (win 7+) should work out of the box for PIV (note CAC is inconsequentially different for your use case). > so that apps (like acrobat) know > where to look when signing... but that is just a laymen guess and I > could be wrong... > > > Based on my (lack of) knowledge on these cards, javascript seems like The hardest way, absolutely the hardest way if using smartcards. Again see above. > the only way... yet I suspect that would be more limiting in > functionality than a java solution. Any questions? If you need, have your PMO reach out to me on the .mil side. > > > > From: Wade Polk > > > Sent: Wednesday, December 18, 2019 5:58 PM > > > > > > Yeah... it's our main use case but we won't have access to the smart > > > cards anytime soon. Internet isn't an option so web services won't > work. > > > Javascript solution is the only way to go it would appear... at least > > > for these smartcards; still need the keystore approach as well too > > > though, not > > > > Need actual specifics here... > > > > > > > everyone uses them. > > > -- Jason Pyeron | Architect Contractor | PD Inc | 10 w 24th St | Baltimore, MD | .mil: [email protected] .com: [email protected] tel : 202-741-9397 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
