Hi there. Can I use FIM's Card Management function to provision on the same smartcard both logical access (certificates), as well as physical access credentials on the card? Does FIM have open APIs so that we can integrate FIM with a physcial access control management sw so that via FIM we can get the physical access credentials? Also, if the customer has applications such as cashless vending and other smartcard applications, can FIM provision such applications? Are there off-the self connectors that FIM can integrate with so that such applications can be enabled and provisioned on the smart cards? Finally, is there anyone who has experience and feedback with FIM and HID cards for physical and logical access? Thank you Pambos

to communicate with your smartcard, FIM can use BaseCSP or PKCS#11. Dependend on your type of Smartcard (.Net Card or Java Card). To use all Features FIM provides, you should use BaseCSP. With PKCS#11 some features like offline PIN unblock will not work. regarding your question with FIM and HID cards: Microsoft, Oxford Computer Group, hHold and HID will do an FIM Launch event where one scenario will be to show how to create a User, assign a Smartcard, provide Authentication Certificate and physical access control to the HID Card. If you have any further questions, please let me know. So long... Florian

Dear Florian, thank you for the response. What is the difference between BaseCSP and PKCS#11 technology. The HID Crescendo cards support both standards. So judging from your response, the FIM is (will) be able to provision the physical access chip on the card? This is even better. But how does FIM gets the authorized physical locations for access per door? Via APIs with the Physical Access Control SW? Do you have any more feedback on when and where the launch event is scheduled for?? This is pretty much my Project! Also do you have any feedback how applications such as cashless vending, e-purse, etc can be provisioned in such cards? Does FIM support procisioning such applications (is there a list with supported applications, such as cashless vending, library applications, etc..?) Thank you

in a typically scenario you will have some kind of Card Provision System that allows you to bring your picture on the smartcard, load the Smartcard with additional features and functions including the physical access chip. you can use FIM to create the workflow for provisioning the Card and trigger the Smartcard Provisioning system. The events i mentioned will take please in Germany at Microsoft Munich and Microsoft Cologne. Einladung zum Event Forefront Identity Manager Launch – Experten Roundtable Termin / Ort : Donnerstag | 27. Mai 2010 | Microsoft Niederlassung Oberschleißheim | Anfahrtsbeschreibung München Montag | 31. Mai 2010 | Microsoft Niederlassung Köln | Anfahrtsbeschreibung Köln I will try to get the presented material in order to give you the information. i am currently in contact with HID. If there are any news on that i will let you know. Best regards Florian

Dear Florian, thank you for your feedback and I will be looking forward to receive from you the presented material as well as any information you can get form HID on this matter. Also, in your note you are referring to "triggering" another card management SW; I suppose this is possible via APIs on the FIM, correct? Thank you for the invalauable information. PAMBOS

Dear Charala, I have deployed physical & logical access cards at some of the major Oil & Gas companies. I would be happy to help you with your questions.Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com

Dear Florian how did the event go for FIM2010 and HID? Is there material to share with me? Thanks

Hi Jameel etc. al.. Thank you for your interest. Since you are an expert, did you have experience with FIM and HID crescendo cards? Or FIM and Gemalto cards? I am kind of skeptical with Gemalto due to high cost and on the other hand I am skeptical with HID smartcards due to less experience on the smartcard contact aspect. Also, the reason that an organization selects to go with a single card vision for integrated logical and physical access is due to the fact that wants in one card to handle access to logical and physical resources, as well as to many other applications, such as cashless vending, parking fee access, library things, e-purse, etc... At the same time a single platform needs to be managing all these, where we hope that FIM 2010 can do it. For the applications I mention here, I am getting the impression that HID crescendo cards are doing all these applications via partners on the contactless chip, while Gemalto is doing all these applications on the contact chip. Maybe I am wrong with this assessment, so I kindly ask for your feedback. Thank you PAmbos

Dear Charala, I have worked with both the HID Crescendo cards and with Gemalto cards. For all practical purposes they operate the same way except the fact that Crescendo is based on Java platform and Gemalto is based on .NET. Also, as Gemalto uses HID's card body the comparison is even on the contact-less side of the equation. Besides the cost, another factor to consider is the use of the card on a non-windows machine. If you are planning on leveraging a card for logon or signature on a non-windows platform then you do need to look for a card which can support PKCS11. The last time I had checked, between the two cards only Gemalto's .NET card supported PKCS11. HID's support was work in progress for a mini-driver based card. Absolutely, totally agree with the value prop which a smart card provides. To add to the context, enterprises have also been able to use smart cards for Remote Access and thus eliminating the need to carry a RSA/OTP token. With regards to the integration between logical & physical access provisioning, currently its only at the card level. FIM only supports the provisioning of the logical side of the house. It is not able to provision the physical access credentials/applications yet. About the applications you have mentioned, they can be implemented either ways. As a contact-less solution or a contact based solution. However, as I had mentioned earlier, FIM cannot manage contact-less. It needs to be managed separately via custom/vendor products. On the contact side, FIM supports the on-card PKI application really well. Its support for on-the-fly on-card application management for other applications is limited at best. I realize that it is turning out to be a lengthy post, please shoot me an email and I can help you further with any other questions you may have about costs, approach, deployment etc.. Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com

Hey, sorry for my late answer, i ´ve been on the road the last couple of days. HID does provide .Net and PKCS11 Cards. the Cresendro 200 card is based on Microsoft Base CSP. i would like to share some thoughts regarding physical security: Physical access control systems use fundamentally static shared secrets to open the doors. In principle, a card contains an identifier that a database associates to a user and to specific access rights through specific doors. The system consists then of a card number for each user, a reader that can extract that number from the card and send it to a controller, and a controller connected to the door and to a host system that manages authorizations. To make the system secure, reading of the identifier from the card can be done using secure communications between the card and the reader and that is what HID has been traditionally known for. We have secure card formats that are protected by keys known only to our readers and we also have programs that are company specific, so a big enterprise can make sure that their cards will only be accessible by readers built specifically for them. But when you do a logical abstraction of all this security, at the end is just a number for a user. What one of our Connect program partners have done is use Active Directory as the authorization mechanism for physical access control, and to do this, they write the card number as an attribute in Active Directory for each user. We have developed an issuance workstation that uses our Fargo printers with a built in smart card reader to securely read the iClass card number and write it to Active Directory for that user. Then, the system takes advantage of Active Directory also to control access by defining groups equivalent to doors (or controllers if you like) and by making an AD user member of a group grants her access through that door. For this there is an agent running on the server that updates the controllers with the card numbers for the users that are authorized to go through that specific door. So in fact, during the issuance process, the card is printed, the certificate is written to the chip as you would do it with a desktop reader and the physical access control is enabled because the card happens to be first and foremost an already programmed HID iClass card. You could of course put any other minidriver enabled chip in our HID iClass card bodies and have the same experience but we already offer the Crescendo C200 card that has a minidriver so our platform is ready to use out of the box. In our Demo with FIM and HID we wrote the serial number of the card to the users attribute. so we can manage the physical access of the user by managing his groupmembership. works pretty good. if you have any more questions regarding the show case, please provide me your contact data so we can get in contact. Thx and best regards Florian