2.1 Supported features

This section lists the features that may be supported within MyID for various smart card types. Each section lists which features are supported for each smart card type; for example, if the smart card is listed as supporting PIN management, you can assume that the smart card supports all of the PIN management features unless specified otherwise.

• MyID

  Determines whether the smart card can be used within MyID with the following features:

  • Can be used to generate an RSA keypair that can be used for operations in MyID.
  • Can be used to sign data (including logon to MyID) with an RSA keypair on the smart card.
  • Can be used to encrypt data with an RSA keypair on the smart card.
  • MyID can set the label of the smart card.
  • MyID can erase the content of the smart card (excluding the printed card surface).

• PIN

  PIN management – determines whether MyID can manage the PIN for the smart card. This incorporates the following features:

  • MyID can lock the user PIN after issuing the smart card.
  • MyID can identify when the user PIN is locked.
  • MyID can replace the factory security officer PIN (SOPIN) with a randomized value.
  • MyID can replace the randomized SOPIN with the factory security officer PIN (SOPIN) at the cancellation of the smart card (when the smart card is present).
  • MyID can unlock the user PIN using the SOPIN to access the card.

  • MyID can provide an unlock code to a remote user to allow the smart card user PIN to be unlocked.

    Note: Earlier versions of MyID used the Remote Unlock workflow for this procedure. From MyID 10.7, the Unlock Credential workflow supersedes Remote Unlock.

  • MyID can reset the user PIN to a predefined value at the cancellation of the smart card (when the smart card is present).

  • MyID can set on-card PIN policy settings.

    MyID allows you to set various policies for PINs using the settings in the credential profile. MyID enforces these settings (where possible) for any operations carried out by MyID. For some smart cards, some or all of these settings are applied directly to the card, which means that the settings will also be enforced by third-party tools and utilities.

• GP

  GlobalPlatform – determines whether MyID can work with the GlobalPlatform keys on the smart card. This incorporates the following features:

  • MyID can replace the factory GlobalPlatform keys with customer defined keys during issuance.
  • MyID can replace the customer defined keys with the factory GlobalPlatform key at cancellation of the smart card (when present).

  Many of the devices supported by MyID are based on card platforms that can support GlobalPlatform features. The GlobalPlatform keys, which are required to configure the features, are not always provided by card manufacturers, and so are tested only as part of specific project requirements or where the capabilities are a standard part of the card lifecycle management processes; for example, PIV cards. If you want to make more use of GlobalPlatform features and this document does not explicitly show support for them for your selected smart cards, contact Intercede to discuss your requirements in more detail.

• Applet

  Determines whether MyID can add and remove applets using GlobalPlatform technology. This incorporates the following features:

  • MyID can add an applet onto the smart card during issuance or update.
  • MyID can remove an applet from the smart card during update or cancellation.

• RSA

  PKI – RSA – determines whether MyID can work with certificates using RSA keys on the smart card. Some of the features listed below depend on the certificate authority you are using; see the integration guide for your CA.

  This incorporates the following features:

  • MyID can force the smart card to generate a private key for use in a certificate request.
  • MyID can write a certificate to the smart card. This occurs during personalization of the smart card in smart card issuance, activation and update.
  • MyID can use a certificate on the smart card to sign data cryptographically.
  • MyID can specify the default certificate on the smart card that is used for Windows logon.
  • MyID can write certificates with RSA 1024 bit keys to the smart card.
  • MyID can write certificates with RSA 2048 bit keys to the smart card.
  • MyID can write certificates with RSA 3072 bit keys to the smart card.
  • MyID can write certificates with RSA 4096 bit keys to the smart card.
  • MyID can remove certificates and their associated private keys from the smart card. This occurs during update or cancellation of the smart card.
  • MyID can inject a private key to the smart card for certificate recovery operations.

  • MyID can enumerate all certificates on the card, and mark those expected to be present that are not present as missing in the Identify Card workflow.

  Note: Support for RSA 3072 and 4096 bit keys depends on the certificate authority. Check your certificate authority integration guide to ensure that RSA 3072 and 4096 bit keys are explicitly supported.

  MyID uses the SHA-384 hash algorithm when issuing devices with 3072 and 4096 bit keys.

  If you attempt to issue RSA 3072 or 4096 bit keys to smart cards that do not support them, the error message may differ from device to device. For example, you may see an error similar to:

  Error: There has been an error writing to the card

  PKCS#10 Error

  Details

  Error: There has been an error writing to the card

  • -2147220715 Exception thrown: class CardException

    Error: 0x80040315: Error creating PKCS#10 request

    Extra Info: Exception thrown: class CardException

    Error: 0x8004032c : Smartcard - Unknown card status

    Extra Info: 5FC105

    Status 0x6A81

• ECC

  PKI – ECC – determines whether MyID can work with certificates using ECC keys on the smart card. Some of the features listed below depend on the certificate authority you are using; see the integration guide for your CA.

  This incorporates the following features:

  • MyID can force the smart card to generate a private key for use in a certificate request.
  • MyID can write a certificate to the smart card. This occurs during personalization of the smart card in smart card issuance, activation and update.
  • MyID can specify the default certificate on the smart card that is used for Windows logon.
  • MyID can write certificates with ECC NIST P256 Curve to the smart card.
  • MyID can write certificates with ECC NIST P384 Curve to the smart card.
  • MyID can write certificates with ECC NIST P521 Curve to the smart card.
  • MyID can remove certificates and their associated private keys from the smart card. This occurs during update or cancellation of the smart card.
  • MyID can support archive certificate operations.
  • MyID can enumerate all certificates on the card, and mark those expected to be present that are not present as missing in the Identify Card workflow.

  Note: MyID can issue certificates using ECC keys to appropriate smart cards, but using ECC certificates on smart cards with Windows operating system features requires an appropriate minidriver or middleware that supports ECC certificates for that feature to be installed. Injecting an ECC private key to the smart card for certificate recovery operations is not supported.

• PIV

  Determines whether MyID can personalize and manage the smart card as a PIV card.

  Note: Issuance of PIV cards to NIST standards, in accordance with the NIST specification SP800-73-3 and the latest available version of the NIST SP800-85B Data Conformance Test Tool, is available only in PIV installations. You must configure your system to support the PIV standard for issuing PIV or PIV-I devices that conform to these specifications.

  MyID allows you to issue PIV cards without having a PIV system; however, PIV cards issued on non-PIV systems will not comply with NIST standards.

  If you want to issue additional identities to devices with PIV applets, you must have a Windows minidriver installed to make the certificates available for uses such as Windows logon. For more information, see the Additional identities on devices with PIV applets section in the Administration Guide.

  • MyID can personalize a PIV card in accordance with the NIST specification SP800-73-3 – available on PIV systems only.
  • A PIV smart card issued by MyID must pass all applicable tests in the latest available version of the NIST SP800-85B Data Conformance Test Tool – available on PIV systems only.
  • MyID can replace the factory PIV 9B key with a value defined by the customer.
  • MyID can replace the customer PIV 9B key with the factory PIV 9B key at cancellation of the card (when present).
  • MyID can depersonalize a PIV card so no end user information remains on the card (excluding the printed card surface).

  • MyID can recover certificates into each of the historic key containers on the card (max 20).

    Note: MyID recovers only as many certificates as the card will hold. During a certificate recovery operation, MyID actively interrogates the PIV card to determine the maximum number of certificates that can be recovered to it, and then restricts the number of certificates permitted for recovery to match. Some cards are manufactured with a restricted number of containers, and others may contain 20 containers but have only a smaller number available for key recovery. Contact your card vendor to discuss your requirements for the number of available certificate recovery containers.

  • MyID can lock the GlobalPlatform keys on the smart card.
  • MyID can unlock the GlobalPlatform keys on the smart card.
  • MyID can unlock the PIN remotely with challenge response using the MyID Card Utility; see the Remote PIN Management utility for PIV cards section in the Operator's Guide for details.

• OPACITY

  Determines whether MyID can personalize a card to support OPACITY.

  For more information, see section 2.11, Setting up OPACITY.

  • MyID can enable the OPACITY capability of a PIV card, in Zero Key Management mode (OPACITY-ZKM)

  • MyID can generate an OPACITY pairing code for a PIV card when it is personalized, which is stored as an encrypted value in the MyID database.

• Print

  Determines whether MyID can print a card layout to the surface of the smart card.

• Client OS

  Determines whether MyID can issue the smart card to be used for Windows operations. This incorporates the following features:

  • The issued smart card can be used for Windows logon when it holds an appropriate certificate.

    You may need additional configuration of your Windows environment, including specific settings where elliptic curve cryptography (ECC) is used. See your Microsoft documentation for details.

    Note: MyID communicates directly with PIV cards without using a driver or minidriver. You can use PIV cards for Windows logon; however, you may require additional software, such as a Windows minidriver. Contact your card vendor for details.

    For ECC certificates on PIV cards, the built-in Windows minidriver – which registers the smart card as "Identity Device (NIST SP 800-73[PIV])" in Windows Device Manager – does not allow the use of ECC certificates with functionality such as Windows logon.

    Note: If you want to use RSA 3072 and 4096 bit keys for Windows logon, you must ensure that the combination of devices and drivers you are using supports these keys for Windows logon. Check with your device vendor whether specific drivers are required.

  • The issued smart card can be used for email signing when it holds an appropriate certificate.
  • The issued smart card can be used for email encryption when it holds an appropriate certificate.