6.3 Supported features for IDEMIA smart cards
See section 2.1, Supported features for a description of the features supported by smart cards.
6.3.1 Features
The following MyID features are smart card or middleware specific. The table below indicates which smart card-dependent features are available in MyID with IDEMIA smart cards.
|
|
Features |
|||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
Smart card |
||||||||||
|
Oberthur ID-One Cosmo v7.0.1 with IAS Standard applet |
Y |
P |
|
|
P |
|
|
|
Y |
Y |
|
Oberthur ID-One PIV (v2.3.2) “ID-One PIV (Type A) Large D” |
|
P |
Y |
|
P |
P |
Y |
|
Y |
Y |
|
Oberthur ID-One PIV (v2.3.4) |
|
P |
Y |
|
P |
P |
Y |
|
Y |
Y |
|
Oberthur ID-One PIV (v2.3.5) |
|
P |
Y |
|
P |
P |
Y |
|
Y |
Y |
|
Oberthur ID-One PIV (v2.4.0) |
|
P |
Y |
|
P |
P |
Y |
|
Y |
Y |
|
IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1 |
|
P |
Y |
|
P |
P |
Y |
Y |
Y |
Y |
|
IDEMIA ID-One PIV 2.4.2 on Cosmo V8.2 |
|
P |
Y |
|
P |
P |
Y |
Y |
Y |
Y |
Key:
- Y – Fully supported.
- P – Partially supported. See below for details.
- blank – Not supported.
6.3.1.1 PIN management
The following IDEMIA cards support a limited range of PIN management features:
|
|
Smart card |
|
|---|---|---|
|
Feature |
Oberthur ID-One Cosmo v7.0.1 with IAS Standard applet |
Oberthur ID-One PIV (v2.3.2) “ID-One PIV (Type A) Large D” |
|
Lock the PIN after issuance. |
Y |
Y |
|
Identify when the PIN is locked. |
Y |
Y |
|
Replace the SOPIN with a randomized value. |
Y |
Y |
|
Replace the SOPIN with the factory SOPIN at cancellation. |
Y |
Y |
|
Unlock the PIN using the SOPIN. |
Y |
Y |
|
Provide a remote unlock code. |
Y |
Y |
|
Reset the PIN at cancellation. |
Y |
Y |
|
Configure on-card PIN policy. |
|
|
|
|
Smart card |
|
|---|---|---|
|
Feature |
Oberthur ID-One PIV (v2.3.4) |
Oberthur ID-One PIV (v2.3.5) |
|
Lock the PIN after issuance. |
Y |
Y |
|
Identify when the PIN is locked. |
Y |
Y |
|
Replace the SOPIN with a randomized value. |
Y |
Y |
|
Replace the SOPIN with the factory SOPIN at cancellation. |
Y |
Y |
|
Unlock the PIN using the SOPIN. |
Y |
Y |
|
Provide a remote unlock code. |
Y |
Y |
|
Reset the PIN at cancellation. |
Y |
Y |
|
Configure on-card PIN policy. |
|
|
|
|
Smart card |
|
|---|---|---|
|
Feature |
Oberthur ID-One PIV (v2.4.0) |
IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1 |
|
Lock the PIN after issuance. |
Y |
Y |
|
Identify when the PIN is locked. |
Y |
Y |
|
Replace the SOPIN with a randomized value. |
Y |
Y |
|
Replace the SOPIN with the factory SOPIN at cancellation. |
Y |
|
|
Unlock the PIN using the SOPIN. |
Y |
Y |
|
Provide a remote unlock code. |
Y |
Y |
|
Reset the PIN at cancellation. |
Y |
Y |
|
Configure on-card PIN policy. |
|
P |
|
|
Smart card |
|---|---|
|
Feature |
IDEMIA ID-One PIV 2.4.2 on Cosmo V8.2 |
|
Lock the PIN after issuance. |
Y |
|
Identify when the PIN is locked. |
Y |
|
Replace the SOPIN with a randomized value. |
Y |
|
Replace the SOPIN with the factory SOPIN at cancellation. |
|
|
Unlock the PIN using the SOPIN. |
Y |
|
Provide a remote unlock code. |
Y |
|
Reset the PIN at cancellation. |
Y |
|
Configure on-card PIN policy. |
P |
Key:
- Y – Fully supported.
- P – Partially supported. For details of supported on-card PIN policy features, see section 6.5.2, PIN policy settings.
- blank – Not supported.
6.3.1.2 PKI – RSA
The following IDEMIA smart cards support a limited range of PKI – RSA features:
|
|
Smart card |
||
|---|---|---|---|
|
Feature |
Oberthur ID-One Cosmo v7.0.1 with IAS Standard applet |
Oberthur ID-One PIV (v2.3.2) “ID-One PIV (Type A) Large D” |
Oberthur ID-One PIV (v2.3.4) |
|
Generate a private key for a certificate request. |
Y |
Y |
Y |
|
Write a certificate to the smart card. |
Y |
Y |
Y |
|
Cryptographically sign or encrypt data. |
Y |
Y |
Y |
|
Specify the default certificate for Windows logon. |
Y |
Y |
Y |
|
Write 1024 bit certificates. |
Y |
Y |
Y |
|
Write 2048 bit certificates. |
Y |
Y |
Y |
|
Write 3072 bit certificates. |
|
|
|
|
Write 4096 bit certificates. |
|
|
|
|
Remove certificates. |
Y |
Y |
Y |
|
Inject a private key for certificate recovery. |
Y |
Y |
Y |
|
Enumerate certificates on the card. |
Y |
|
|
|
|
Smart card |
|
|---|---|---|
|
Feature |
Oberthur ID-One PIV (v2.3.5) |
Oberthur ID-One PIV (v2.4.0) |
|
Generate a private key for a certificate request. |
Y |
Y |
|
Write a certificate to the smart card. |
Y |
Y |
|
Cryptographically sign or encrypt data. |
Y |
Y |
|
Specify the default certificate for Windows logon. |
Y |
Y |
|
Write 1024 bit certificates. |
Y |
Y |
|
Write 2048 bit certificates. |
Y |
Y |
|
Write 3072 bit certificates. |
|
|
|
Write 4096 bit certificates. |
|
|
|
Remove certificates. |
Y |
Y |
|
Inject a private key for certificate recovery. |
Y |
Y |
|
Enumerate certificates on the card. |
|
|
|
|
Smart card |
|
|---|---|---|
|
Feature |
IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1 |
IDEMIA ID-One PIV 2.4.2 on Cosmo V8.2 |
|
Generate a private key for a certificate request. |
Y |
Y |
|
Write a certificate to the smart card. |
Y |
Y |
|
Cryptographically sign or encrypt data. |
Y |
Y |
|
Specify the default certificate for Windows logon. |
Y |
Y |
|
Write 1024 bit certificates. |
Y |
|
|
Write 2048 bit certificates. |
Y |
Y |
|
Write 3072 bit certificates. |
|
Y1 |
|
Write 4096 bit certificates. |
|
|
|
Remove certificates. |
Y |
Y |
|
Inject a private key for certificate recovery. |
Y |
Y |
|
Enumerate certificates on the card. |
|
|
Key:
- Y – Fully supported.
- blank – Not supported.
6.3.1.3 PKI – ECC
The following IDEMIA smart cards support a limited range of PKI – ECC features:
|
|
Smart card |
|
|---|---|---|
|
Feature |
Oberthur ID-One PIV (v2.3.2) “ID-One PIV (Type A) Large D” |
Oberthur ID-One PIV (v2.3.4) |
|
Generate a private key for a certificate request. |
Y |
Y |
|
Write a certificate to the smart card. |
Y |
Y |
|
Specify the default certificate for Windows logon. |
Y |
Y |
|
ECC NIST P256 Curve |
Y |
Y |
|
ECC NIST P384 Curve |
Y |
Y |
|
ECC NIST P521 Curve |
|
|
|
Remove certificates. |
Y |
Y |
|
Archive certificates. |
Y |
Y |
|
Enumerate certificates on the card. |
|
|
|
|
Smart card |
|
|---|---|---|
|
Feature |
Oberthur ID-One PIV (v2.3.5) |
Oberthur ID-One PIV (v2.4.0) |
|
Generate a private key for a certificate request. |
Y |
Y |
|
Write a certificate to the smart card. |
Y |
Y |
|
Specify the default certificate for Windows logon. |
Y |
Y |
|
ECC NIST P256 Curve |
Y |
Y |
|
ECC NIST P384 Curve |
Y |
Y |
|
ECC NIST P521 Curve |
|
|
|
Remove certificates. |
Y |
Y |
|
Archive certificates. |
Y |
Y |
|
Enumerate certificates on the card. |
|
|
|
|
Smart card |
|
|---|---|---|
|
Feature |
IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1 |
IDEMIA ID-One PIV 2.4.2 on Cosmo V8.2 |
|
Generate a private key for a certificate request. |
Y |
Y |
|
Write a certificate to the smart card. |
Y |
Y |
|
Specify the default certificate for Windows logon. |
Y |
Y |
|
ECC NIST P256 Curve |
Y |
Y |
|
ECC NIST P384 Curve |
Y |
Y |
|
ECC NIST P521 Curve |
|
|
|
Remove certificates. |
Y |
Y |
|
Archive certificates. |
Y |
Y |
|
Enumerate certificates on the card. |
|
|
Key:
- Y – Fully supported.
- blank – Not supported.
6.3.1.4 ECC support for PIV cards
The ECC features you can use for PIV cards are defined in NIST sp800-78-4:
- The piv-auth and cardauth containers can hold P256 certificates.
- The dig-sig and key-management containers can hold P256 or P384 certificates.
- P521 certificates are not allowed.
6.3.2 Additional features
ID-One PIV smart cards can be provided by IDEMIA to support the following additional features:
- HID Prox support.
- IDEMIA may ship their ID-One PIV cards with the contactless portion disabled. When you first issue an ID-One PIV card through MyID, whether by standard issuance
IDEMIA ID-One PIV 2.4.1 on Cosmo V8.1 and IDEMIA ID-One PIV 2.4.2 on Cosmo V8.2 cards support the following additional feature:
-
Symmetric PIV 9E key.
To enable this feature, set the Manage PIV 9E key on supported devices configuration option (on the Device Security page of the Security Settings workflow) to Yes. The symmetric 9E key is diversified using the 9B Master Key. During card issuance the 9E Key is set using the Customer 9B master key, while the Factory 9B master key is used when the device is erased.