PKI and Smart Card Implementer's Planner

These are the questions that you need to answer when you implement integrated PKI and Smart Card solution.


* What OSs are using PKI services as clients? Of those, which require smart card functionality?
* What is the directory service for enterprise clients?
* What is the directory service for extranet clients?
* How CA hierarchy is implemented (software/OS, online/offline, root/subordinate, manual enrolment/automatic enrolment)?
* Are there any PKI services provided outside the organisation/enterprise network?
* What are the CRL distribution points?


How PKI will be used? For each, outline the OS, type of certificate storage (soft/smart card/USB token/HSM), and relevant details such as additional (to the standard OS features) and 3rd-party software.

* CA
* Smart card logon
* VPN authentication
* Web site logon
* Windows Terminal Services client authentication
* Citrix client authentication
* E-mail signing - intra-organisational communication
* E-mail signing - external communication
* Wireless network authentication
* Web server certificates
* Computer certificates - IPsec client authentication
* IPsec gateway/concentrator certificates
* RADIUS server certificates
* Computer certificates - 802.1x
* Real-time communications (SIPs etc.)
* Other applications (i.e. SSH, PGP)

Certificate Management

* Certificate expiration: how users are notified about upcoming cert expiry?
* Certificate expiration: how admins are notified about upcoming cert expiry?
* If S/MIME is used for external e-mail signing and encryption, how the certificates are published (Web address book/LDAP/etc)?

Smart Card Management

* What type of card is used - chip card, chip card with integrated RFID/proximity component, or contactless smart card?
* What are the software requirements for the smart cards (i.e. - PKCS #11 libraries for different OSs, Windows CSP, etc)?
* Based on the above requirements, what card manufacturer/model/OS is chosen?
* Is certificate enrolment station/delegated enrolment used, or self-enrolment, or combination?
* How initial PIN is released to the users? Is secure printing used?
* Is PIN complexity enforced, and how (application on the SC)?
* If a user forgets the PIN, what is the procedure for using PUK, if any?
* If a user forgets the card at home, what is the process for granting temporary access - reverting to passwords, issuing a temporary access card, or something else?


* How monitoring against privilege abuse i.e. unauthorised issuance of the enrollment agent certificate is implemented
* Is key escrow required for any application and if so how is it implemented?
* Why there are still users that use passwords and not smart cards?
* Did implementation of the smart card logon reduce the cost of password maintenance helpdesk?