I had to get one of these recently. (And thankfully, I am done with the government for a while.) If you want a process that will make you believe "wow, we have too much bureaucracy in this country", then get a PIV card. By the end, I thought I was definitely just being strung along in some sort of eternal joke, and had started joking that the reward for completing forms was more forms.
So many forms. Randomly imposed, arbitrary deadlines that were utterly impossible. (And … not really deadlines, since you can just email and say a polite "how about no" & magic extensions happen.) Forms that were submitted by encrypting them into a zip, and then sending zip+password in an email…?
The person who fingerprinted me was royally annoyed at me for showing up with all the materials their office had told me to show up with, but not having the materials that I wasn't told to show up with. (And that I wasn't "in the system" — okay. I'm new! I don't know why that is, nor who to ask, nor what 98% of the acronyms mean.)
You want to stop being a contractor, and give the PIV card back? More forms.
I started jokingly wondering when signatures in blood happen.
It's weird to read this coming from a country that basically bundles PIV with your ID. Once every few years you take a new picture and go grab it from a police station in half an hour and that's basically it.
And at the same time support this widespread would not exist without the U.S. using PIV, so I'm glad people bother :D I also recall some U.S. government site recommending a small and sleek card reader designed here (folds into an USB-stick shape).
Hopefully these processes improve and systems become more interoperable cross-borders at some point.
Mine used to issue PIV smartcards (I think; at least there was a PKCS#11 driver for it available), but discontinued it in favor of server-hosted “private keys” unlocked via SMS-OTP (I wish I was kidding).
I'm glad they explain how to write names on the card for even very long names, like: "Dingo Pontooroomooloo Vaasa Silvaan Beenelong Wooloomooloo Warrandyte Warwarnambool"
To send you down a bit of a rabbit hole: ICAOs standard 9303 [1] on how to abbreviate long names for use on the MRZ of international travel documents uses the exact same examples.
I wonder how they came up with this. I thought it was unique to FIPS 201 but looks like ICAO has it too. Is there like a lorem ipsum generator but for text that looks like names?
That is weird. Dingo is an Australian native dog. Wooloomooloo and Bennelong (slight spelling difference) are in Sydney, Australia. Warrandyte is an outer suburb north of Melbourne. Warnambool (not Warwarnambool) is a town to the west of Melbourne. I've been to all of them.
I use a PIV Badge as a FAA contractor. We're told to never use the PIV badge as a means of identification anywhere. The documentation doubles down by mentioning to never use it as an ID at an airport. I've been told it is because FAA employees would use it and the airline workers would then freak out that the employee was there to inspect them.
> We're told to never use the PIV badge as a means of identification anywhere
I must be misunderstanding what you mean by this, because I'm struggling to fathom what possible use a "personal identity verification badge" could possibly have _other_ than as a means of identifying yourself.
I’m a contractor for DHS and heard a rumor a long time ago that you could get special treatment with TSA agents when using your DHS badge as identification. Yeah no. Doesn’t work :) Southwest did give me a free drink one time though and thanked me for my service - they saw the laptop and piv plugged in while I was working on the plane and thought I was military. I did correct them but also took the free drink.
The PIN is required to get the card to perform cryptographic operations, not list certificates -- although the certificates aren't a secret, within DOD there's sites like DOD411 to get anyone's certificate, though I haven't checked for an FPKI equivalent.
The real reason not to use your PIV for ID in random places is that it's meant to be used as an ID for you acting as your official capacity. This can also be seen in the case where people have multiple PIVs to represent their multiple identities, like National Guard who may have a PIV as a contractor and a PIV as a National Guard -- they would use the correct one depending on what capacity they are acting, or none if it's not part of their official duties.
PIV and CAC (DOD, but is now a PIV with CAC-NG) has been around for a very long time. Passwords haven't been permitted in the US Government since a short time after the signing of HSPD-12 in 2004.
It depends. There are IL2-exposed sites that permit password login, and interface with IL4 backends (milConnect and DEERS, MOL and MCTFS, etc.). I'm not sure what the ATO process looks like for those systems though. But you're not getting direct IL4+ access without a CAC somewhere.
You both can be right, US Gov will write well-intentioned policy that none of their live teams can keep up with, even after 20 years, and I haven't yet seen a practical enterprise authentication architecture that doesn't fall back on passwords somewhere.
Within the DOD the most common solutions are SSH keys using the CAC, Kerberos with PKINIT, or using some type of intermediate systems to handle the auth like CA PAM.
There can still be a root password for emergencies, but it wouldn't be available for remote access -- ILOM or some other BMC (or even a serial port concentrator) would be configured for HSPD-12-compliant auth for remote console access, then you would use the root password for system access (though you could also just reboot into a separate operating system, since disk encryption isn't required except for mobile devices).
I'm not sure what the above poster's command or organization was doing to comply with HSPD-12, but they were most likely doing something. The compliant reports are generally public, also.
Yes but PIV/CAC identity is not related to break-glass passwords. They both serve different purposes and it's safe to assume that the typical government worker will only ever need to use their smart card to authenticate into systems.
I started out as a federal civil servant in the late 90s working for the Navy and switched to contracting shortly thereafter, working at mostly US DOD customers (Navy, Army, USSOCOMHQ), but also DHS (HQ and all components minus SS and CG).
In my experience, at every place we had a different approach but all satisfied HSPD-12 and did not use passwords shortly after the various directives were promulgated through the various channels, except on classified systems since there wasn't a procedure at the time to declassify the CAC/PIV after periods processing -- though there were plans for changing that, and it may be resolved by now.
PuTTY-CAC was an interesting, although imperfect solution to using PIV/CAC cards together with SSH. I remember piloting it from 2013-2014 at an agency. Back then, it was maintained by Dan Risacher[0]. Nowadays it is maintained on GitHub[1] and adopted some interesting features like FIDO.
But could you get into the network to access the UNIX boxes without a PIV card? That's how the NIH works -- the UNIX boxes do have passwords, but unless you are on campus you have to connect to the VPN with your PIV card first.
NIST has a similar setup. There’s an exemption for e.g. summer students who are issued temporary non-PIV badges, but they’re issued a yubikey that’s required to access the network from off campus
There is a lot of variety in how different places implement Homeland Security Presidential Directive 12 (HSPD-12), but the reports on compliance are public and since it's an initiative that's been going on since 2004, compliance is high.
I'm working on a personal project using PKCS11 stuff. I'm glad for the commonality of PIV cards - It's a terrible standard but it's intercompatible enough that it's made HSMs suitable for SMB very cheap.
PIV cards in Windows work shockingly well out of the box. I bought some Taglio-branded PIV cards to play with and have certificate-based logon to my webserver going in just a couple of hours. Logon to Windows itself took more work but wasn't too difficult.
That doesn't stop some people from installing other middleware like ActivClient (although it will let you change your PIN; no idea if this is in the Windows PIV driver since I mostly use my own (CACKey) and don't really use Windows)
Does literally no one in the US federal government use online dating/hookup services? how is this called PIV. Like, the giggling alone would disqualify me from most jobs
So many forms. Randomly imposed, arbitrary deadlines that were utterly impossible. (And … not really deadlines, since you can just email and say a polite "how about no" & magic extensions happen.) Forms that were submitted by encrypting them into a zip, and then sending zip+password in an email…?
The person who fingerprinted me was royally annoyed at me for showing up with all the materials their office had told me to show up with, but not having the materials that I wasn't told to show up with. (And that I wasn't "in the system" — okay. I'm new! I don't know why that is, nor who to ask, nor what 98% of the acronyms mean.)
You want to stop being a contractor, and give the PIV card back? More forms.
I started jokingly wondering when signatures in blood happen.
Definitely wasn't worth it, in my case.