DoD Implementation Guide for CAC PIV End-Point - Common ...
DoD Implementation Guide for CAC PIV End-Point - Common ...
DoD Implementation Guide for CAC PIV End-Point - Common ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>DoD</strong> <strong>Implementation</strong> <strong>Guide</strong> <strong>for</strong> <strong>CAC</strong> <strong>PIV</strong> <strong>End</strong>-<strong>Point</strong><br />
implementation <strong>for</strong> the DOD, the <strong>PIV</strong> Authentication certificate equates to the <strong>DoD</strong> email<br />
signing key pair and certificate.<br />
Table 13. <strong>PIV</strong>, <strong>CAC</strong> Key, and Certificate Access Rules.<br />
NIST SP-800-73-1 Certificates<br />
Key Name Key Purpose<br />
<strong>PIV</strong><br />
Authentication<br />
Certificate<br />
Digital Signature<br />
Certificate<br />
Key<br />
Management<br />
Certificate<br />
PKI Signature<br />
Key<br />
Used to Authenticate the card and the CH using PIN. Identity<br />
key <strong>for</strong> logical access.<br />
Digital Signature <strong>for</strong> non-repudiation. Contact only<br />
Encryption key. Contact only<br />
<strong>CAC</strong> Certificates<br />
PKI Logical Login (Outlook) Digital Signature with nonrepudiation,<br />
logical access, PIN. Outlook requires special<br />
extension.<br />
23<br />
Access<br />
Read Cert<br />
/ Sign OID<br />
M<br />
/<br />
O<br />
PIN/PIN 0x0101* M<br />
PIN/PIN-<br />
Always<br />
PIN/PIN not<br />
needed<br />
0x0100 O<br />
0x0102 O<br />
ALW/PIN 0x0101 M<br />
PKI Identity Key Can be used <strong>for</strong> non repudiation signing outside Outlook. ALW/PIN 0x0100 M<br />
PKI Encryption<br />
Key<br />
Key Encipherment ALW/PIN 0x0102 M<br />
Note: The gray area in the table indicates keys which the <strong>DoD</strong> functionally implemented using existing<br />
<strong>DoD</strong> PKI keys.<br />
* When the <strong>PIV</strong> Auth certificate is accessed via the Transitional card edge (<strong>PIV</strong> Auth<br />
activated mode) the OID is 0xA001.<br />
The <strong>PIV</strong> Auth certificate and the <strong>CAC</strong> PKI Signature certificate have similar functionality.<br />
The middleware must specifically differentiate between these keys.<br />
5.7 <strong>PIV</strong> Authentication Certificate (0x0101)<br />
This certificate is used to authenticate the card holder <strong>for</strong> logical access scenarios. The <strong>CAC</strong><br />
PKI Signature key and associated certificate is used <strong>for</strong> Microsoft cryptographic logon and<br />
PKI signature. The <strong>DoD</strong> certificate does not include the NACI (as specified by FIPS 201), but<br />
it does contain the FASC-N. It also contains a UN = email address.<br />
The diagram below illustrates the process of authenticating the <strong>PIV</strong> Authentication<br />
Certificate.