PKI Enrollment and Renewal

Does CSP^id install as a Windows CSP so that our CA can issue certificates based on certificate templates in Active Directory?

Yes. CSP^id utilizes Microsoft's new "Base Smart Card Cryptographic Service Provider" in a manner that makes Windows think it is a smart card. Just select the "Base Smart Card Provider" on your enrollment page, and the enrollment process will utilize CSP^id for key generation and private key storage.

What does browser-based enrollment with CSP^id look like in Internet Explorer or in Firefox (or in any other Netscape-based browser)?

With Internet Explorer, you must select the "Base Smart Card Provider" (or let the CA enrollment page do this for you) and enter your CSP^id password.

With a Netscape-based browser, you would be prompted to choose a token (typically, the choices presented are "Software" and"ISC CSPid"). Select "ISC CSPid" and enter your password.

If we use the Windows Server 'Autoenrollment' feature with CSP^id, what does the user see in terms of messages and options?

The user will simply be prompted to enter their CSP^id password.

What are the limitations of the CSP^id key store?

When accessed through its Microsoft Smart Card Minidriver, CSP^id behaves like a smart card and is therefore limited to 255 key pairs. However, when accessed through its PKCS #11 interface, its capacity is limited only by the size of the storage device on which its PKCS#15-based key store is located.

Support for Roaming Users

Does CSP^id support roaming users? If so, how?

CSP^id supports roaming users in either of two ways:

1. by using Windows roaming profiles to gain access to the user's registry and the key store in the user's 'Application Data\CSPid' folder, or
2. by using its configuration file to access the network device on which the user's key store has been located

To gain access to your CSP^id credentials, you need only log in to a Windows system with your roaming profile, or point your CSP^id configuration file at your key store as in case 2.

Can I access my CSP^id credentials without using Windows roaming profiles?

In the absence of roaming profiles, a user with CSP^id configured as in case 2 above can simply click the "Register with Applications" item in CSP^id's system tray menu to make their credentials available to all supported applications on the system.

How does CSP^id compare with Windows credential roaming?

CSP^id provides many advantages over Windows credential roaming:

1. with CSP^id, your keys reside in only one file on the network, they are not replicated on each machine
2. CSP^id allows you to change your password at any time without loosing access to your keys and it provides flexible administrative controls over password policies
3. CSP^id does not "escrow" or otherwise store your keys in Active Directory
4. CSP^id works with Firefox, Java, and other non-CAPI enabled applications
5. CSP^id allows you to roam to Linux, Solaris, and other UNIX-based workstations

Security Policy Enforcement

How does an administrator manage CSP^id's passphrase policies?

CSP^id security policy is managed by editing its configuration file and deploying that file with the software prior to, or after, installation.

Is there any support for Active Directory group policies?

There is no direct support for the enforcement of Active Directory group policies at this time.

Architecture

CSP^id is a virtual smartcard that maintains a central repository for private keys and X.509 certificates. It provides a secure environment for cryptographic operations that applications can access via Java, PKCS#11, or Microsoft CAPI.

CSPid 1.1 Architecture Diagram

Exactly where are my keys stored and how are they protected?

CSP^id stores your key material in a single file as a (password-encrypted) PKCS #15 protocol data unit (PDU). PKCS #15, the "Cryptographic Token Information Format Standard," is an extension of the IETF cryptographic message syntax used for S/MIME. (The standard also provides guidance on properly storing cryptographic keys so as to ensure both their integrity and confidentiality.)

Use of PKCS #15 PDUs virtually ensures future interoperability with security-enabled applications from a wide range of vendors of both hardware- and software-based cryptographic tokens. When you entrust your credentials to CSP^id, you're not locking yourself into a closed, proprietary system.

The location of your CSP^id key store is determined by a setting in the product configuration file. (The default key store folder under Windows is 'Documents and Settings\<user>\Application Data\CSPid').

Within the key store (a .p15 file), each private key is encrypted using AES-256 in CBC mode using a random symmetric key, which is itself AES-encrypted using a key derived from the user's CSP^id password. This scheme complies with all relevant NIST key management guidelines, IETF RFCs, and PKCS standards documents (i.e., it's squarely based on open, established, and well-respected standards).

What is PKCS #11 and what role does it play in the CSP^id architecture?

PKCS #11, the "Cryptographic Token Interface Standard" (also called "Cryptoki"), is an application programming interface (API) that can be used to communicate with a cryptographic device. Supported by most vendors of cryptographic tokens, it provides a platform-independent alternative to Microsoft CryptoAPI ("CAPI").

In CSP^id, an integrated PKCS #11 library uses the ISC CDK to provide key storage and cryptographic operations either directly to PKCS#11-enabled applications (such as Firefox, Thunderbird, and Java apps), or indirectly (through a smart card minidriver) to CAPI-enabled Windows applications (such as Outlook and Internet Explorer).

CSP^id's use of PKCS #11 allows users to roam (with their platform-independent PKCS #15-based credentials) at will between Windows, UNIX, Linux, and Mac OS X workstations.

Standards Compliance and PKI Compatibility

With which security standards does CSP^id comply?

CSP^id is built upon ISC's FIPS 140-2 compliant Cryptographic Development Kit (CDK) version 7.0. It conforms with all relevant Federal and industry standards (including PKCS#1/7/11/12/15, IETF PKIX RFCs, and ANSI X9 certificate standards). In particular, it satisfies the latest DoD NSTISSP No. 11 and NIST FIPS 140-2 acquisition requirements.

Does CSP^id support my company's PKI?

CSP^id works with credentials from most leading CAs and PKI vendors, including Entrust, Microsoft, Red Hat, RSA Security, VeriSign, and ISC.

In addition, ISC is willing to customize the product to narrowly target an enterprise customer's certificate lifecycle management practices. In particular, your planned or existing enrollment, renewal, and revocation mechanisms can be directly supported in the CSP^id management interfaces to dramatically simplify the PKI experience for your end-users.

Platform-Dependent Issues

Is CSP^id supported on Windows Vista?

Yes, CSP^id is fully Vista-compatible and is "Certified for Windows Vista" logo certified. Although Vista does not support complete CAPI CSPs from independent software vendors, CSP^id will integrate into Internet Explorer and other CAPI-enabled applications through the Microsoft Base Smart Card Cryptographic Service Provider (via its supplied Smart Card Minidriver). In addition, CSP^id's PKCS #11 library and interface allow it to integrate into all Netscape-based browsers and Java applications on Windows Vista.

General Questions

How do I change my CSP^id password?

You can either click the "Change Password" item in CSP^id's system tray menu, or use the similarly-named menu item in CSP^id's Management tool.

Licensing

How is CSP^id licensed?

CSP^id is normally licensed on an enterprise-wide basis under terms negotiated with ISC. The typical contract includes free updates and support for one year. Maintenance may be renewed on an annual basis in subsequent years for an agreed-upon percentage of the original site license fee.