├── .codeinventory.yml
├── .gitignore
├── CONTRIBUTING.md
├── Gemfile
├── ISSUE_TEMPLATE.md
├── LICENSE.md
├── README.md
├── _config.yml
├── _engineering
├── 00_index.md
├── 01_firefox.md
└── 02_ssh.md
├── _includes
├── alert-error.html
├── alert-info.html
├── alert-preview.html
├── alert-success.html
├── alert-warning.html
├── analytics.html
├── footer.html
├── head.html
├── header.html
├── navbar.html
├── scripts.html
└── sidebar.html
├── _layouts
└── default.html
├── _networkconfig
├── 00_index.md
├── 01_portsprotocols.md
├── 02_domaincontrollers.md
├── 03_managingtrustroots.md
├── 04_accounts.md
├── 05_grouppolicies.md
├── 06_tuning.md
├── 07_mac.md
├── 08_windows10.md
├── 09_references.md
├── 10_localca.md
└── 11_ama.md
├── _sass
├── _base.scss
├── _layout.scss
└── _syntax-highlighting.scss
├── _userguides
├── 00_index.md
├── 01_digital_signing.md
└── 02_digital_signing_ofr.md
├── assets
├── css
│ ├── jquery-ui.min.css
│ ├── jquery-ui.structure.min.css
│ ├── jquery-ui.theme.min.css
│ └── styleguide.css
├── img
│ ├── alerts
│ │ ├── error.png
│ │ ├── error.svg
│ │ ├── info.png
│ │ ├── info.svg
│ │ ├── success.png
│ │ ├── success.svg
│ │ ├── test.md
│ │ ├── warning.png
│ │ └── warning.svg
│ ├── change_page.png
│ ├── code_tab.png
│ ├── create_github_account.png
│ ├── create_new_issue.png
│ ├── edit_page.png
│ ├── favicons
│ │ ├── favicon-114.png
│ │ ├── favicon-144.png
│ │ ├── favicon-16.png
│ │ ├── favicon-192.png
│ │ ├── favicon-57.png
│ │ ├── favicon-72.png
│ │ ├── favicon.ico
│ │ └── favicon.png
│ ├── fork.png
│ ├── issue_title.png
│ ├── logo-cio.png
│ ├── logo-gsa.png
│ ├── preview_page.png
│ ├── propose_change.png
│ ├── pull_request.png
│ ├── pull_tab.png
│ ├── search.svg
│ ├── submit_new_issue.png
│ ├── us_flag_small.png
│ └── watch_project.png
├── js
│ ├── accordion.js
│ ├── jquery-3.5.1.min.js
│ ├── jquery-migrate-3.3.0.min.js
│ ├── jquery-ui.min.js
│ ├── respond.min.js
│ └── styleguide.js
└── uswds-0.9.1
│ ├── css
│ ├── uswds.css
│ ├── uswds.min.css
│ └── uswds.min.css.map
│ ├── fonts
│ ├── merriweather-bold-webfont.eot
│ ├── merriweather-bold-webfont.ttf
│ ├── merriweather-bold-webfont.woff
│ ├── merriweather-bold-webfont.woff2
│ ├── merriweather-italic-webfont.eot
│ ├── merriweather-italic-webfont.ttf
│ ├── merriweather-italic-webfont.woff
│ ├── merriweather-italic-webfont.woff2
│ ├── merriweather-light-webfont.eot
│ ├── merriweather-light-webfont.ttf
│ ├── merriweather-light-webfont.woff
│ ├── merriweather-light-webfont.woff2
│ ├── merriweather-regular-webfont.eot
│ ├── merriweather-regular-webfont.ttf
│ ├── merriweather-regular-webfont.woff
│ ├── merriweather-regular-webfont.woff2
│ ├── sourcesanspro-bold-webfont.eot
│ ├── sourcesanspro-bold-webfont.ttf
│ ├── sourcesanspro-bold-webfont.woff
│ ├── sourcesanspro-bold-webfont.woff2
│ ├── sourcesanspro-italic-webfont.eot
│ ├── sourcesanspro-italic-webfont.ttf
│ ├── sourcesanspro-italic-webfont.woff
│ ├── sourcesanspro-italic-webfont.woff2
│ ├── sourcesanspro-light-webfont.eot
│ ├── sourcesanspro-light-webfont.ttf
│ ├── sourcesanspro-light-webfont.woff
│ ├── sourcesanspro-light-webfont.woff2
│ ├── sourcesanspro-regular-webfont.eot
│ ├── sourcesanspro-regular-webfont.ttf
│ ├── sourcesanspro-regular-webfont.woff
│ └── sourcesanspro-regular-webfont.woff2
│ ├── img
│ ├── alerts
│ │ ├── error.png
│ │ ├── error.svg
│ │ ├── info.png
│ │ ├── info.svg
│ │ ├── success.png
│ │ ├── success.svg
│ │ ├── warning.png
│ │ └── warning.svg
│ ├── arrow-down.png
│ ├── arrow-down.svg
│ ├── arrow-right.png
│ ├── arrow-right.svg
│ ├── correct8.png
│ ├── correct8.svg
│ ├── correct9.png
│ ├── correct9.svg
│ ├── favicons
│ │ ├── favicon-114.png
│ │ ├── favicon-144.png
│ │ ├── favicon-16.png
│ │ ├── favicon-192.png
│ │ ├── favicon-57.png
│ │ ├── favicon-72.png
│ │ ├── favicon.ico
│ │ └── favicon.png
│ ├── logo-img.png
│ ├── minus.png
│ ├── minus.svg
│ ├── plus.png
│ ├── plus.svg
│ ├── search.png
│ ├── search.svg
│ ├── social-icons
│ │ ├── png
│ │ │ ├── facebook25.png
│ │ │ ├── rss25.png
│ │ │ ├── twitter16.png
│ │ │ └── youtube15.png
│ │ └── svg
│ │ │ ├── facebook25.svg
│ │ │ ├── rss25.svg
│ │ │ ├── twitter16.svg
│ │ │ └── youtube15.svg
│ └── us_flag_small.png
│ └── js
│ ├── uswds.js
│ ├── uswds.min.js
│ └── uswds.min.js.map
├── img
├── certificatechain.png
├── certificatechain_small.png
├── elements.png
├── linux_tux.png
├── logo.png
├── microsoft.png
├── ofr_add_digital_signature_new.png
├── ofr_certificate_details.png
├── ofr_certificate_types.png
├── ofr_enter_your_pin_3.png
├── ofr_remove_invisible_sign_4.png
├── ofr_sign_box_with_name_appears_here_3.png
├── ofr_sign_box_with_no_name_2.PNG
├── ofr_signature_confirmation.png
├── ofr_signatures_pane_5.png
├── ofr_windows_sec_piv_or_purch_cert.png
├── ofr_word_add_digital_signature_1.PNG
├── piv.png
├── piv_aia_ocsp_gsa.png
├── piv_aia_ocsp_gsa_small.png
├── piv_crl_gsa.png
├── piv_crl_gsa_small.png
├── pivcertificatechain.png
├── pivcertificatechain_small.png
├── ssh-putty-cac-1.png
├── ssh-putty-cac-2.png
├── winSCP-1.PNG
├── winSCP-10.PNG
├── winSCP-2.PNG
├── winSCP-3.PNG
├── winSCP-4.PNG
├── winSCP-5.PNG
├── winSCP-6.PNG
├── winSCP-7.PNG
├── winSCP-8.PNG
├── winSCP-9.PNG
├── word-signature-1.png
├── word-signature-10.png
├── word-signature-11.png
├── word-signature-12.png
├── word-signature-13.png
├── word-signature-14.png
├── word-signature-15.png
├── word-signature-16.png
├── word-signature-17.png
├── word-signature-18.png
├── word-signature-19.png
├── word-signature-2.png
├── word-signature-20.png
├── word-signature-3.png
├── word-signature-4.png
├── word-signature-5.png
├── word-signature-6.png
├── word-signature-7.png
├── word-signature-8.png
└── word-signature-9.png
└── pages
├── certchains.md
├── contribute.md
├── contribute_addpage.md
├── contribute_editpage.md
├── contribute_openissue.md
├── details.md
├── elements.md
├── identifiers.md
├── index.md
├── start.md
└── template.md
/.codeinventory.yml:
--------------------------------------------------------------------------------
1 | name: 'Federal Personal Identity Verification (PIV) Guides'
2 | description: 'PIV implementation guidance for networks, operating systems and applications'
3 | openSourceProject: 1
4 | governmentWideReuseProject: 1
5 | tags:
6 | - pki
7 | - fpki
8 | - ficam
9 | - piv
10 | - federation
11 | - credentials
12 | - authentication
13 | contact:
14 | email: icam@gsa.gov
15 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | _site/
2 | Gemfile.lock
3 | *~
4 | .sass-cache
5 |
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | Thank you for considering contributing to the development of open and transparent Federal Identity, Credential and Access Management implementation information.
2 |
3 | #### Public domain
4 |
5 | All contributions to this project will be released into the public domain worldwide through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/).
6 |
7 | By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.
8 |
9 | We encourage you to read our [LICENSE](LICENSE.md) and our [README](README.md), which exist within this repository.
10 |
11 | #### General Practices
12 |
13 | This content is Vendor neutral. Marketing materials for Commercial Products should not be submitted. If you would like to contribute a page or content which includes Commercial Products and specific references for development and engineering, please review the Commercial Product trademark or copyright guides from the Product Vendor and reference those guides in your Pull Request.
14 |
15 | #### Plain Language
16 |
17 | Contributors should consider the audience when submitting content. Plain language benefits a broad audience. Review your proposed content for use of acronyms and specialized jargon before submitting.
18 |
19 | #### Thanks
20 |
21 | The idea for providing this content as open source, the contributing framework, and the licensing framework are based on work from [18F](https://18f.gsa.gov).
22 |
23 |
24 | #### How to Contribute
25 |
26 | * You can visit the GitHub repository [here](https://github.com/GSA/piv-guides/).
27 | * If you have any questions, open an issue under the 'Issues' tab.
28 | * Opening issues or adding content does require the creation of a GitHub account.
29 |
30 | Issues are to share information and discuss content with the community. For example, Issues can be used for:
31 |
32 | * _Suggestions:_ You would like to suggest an edit or addition to any existing pages or information on this site
33 | * _Corrections:_ You have identified a problem with existing information on the site and would like to discuss a correction
34 | * _Pages:_ You have identified a topic for a new guidance document that is not yet on the site that would be beneficial for everyone
35 |
36 | Each issue that you open can be named with a topic and is tracked so you can discuss the issue with other contributors and follow any updates. Please include any links or other relevant information included in the issue.
37 |
38 | Direct changes and line edits to the content may be submitted by clicking 'Edit this page'. You do not need to install any software to submit content. You can use GitHub's in-browser editor to edit files and submit a pull request for your changes to be merged.
39 |
40 | When you want to suggest a new topic for the site and would like to create a draft, follow the steps below:
41 |
42 | #### How to Build a New Guide
43 |
44 | * To see an example of a topic, visit the Template sample [here](/pages/template.md).
45 | * To find this template directly, you can browse the pages folder in the repository and select the 'template.md' file.
46 | * Click the 'Raw' button towards the top right of the page to view the file as raw code. Within this file are helpful comments and instructions on where different parts of your content will be entered. Please note that you will not need to know how to code to contribute, as the only code within the file is simply to help format the final page.
47 | * Copy all of the samples from the template.
48 | * Navigate back to the pages folder and select the 'New file' button towards the top right of the page.
49 | * Enter a name for your file in the text box that says 'Name your file...', which will also act as the permanent link for your page.
50 | * Paste the samples and follow the instructions within the sample to populate the template with your content.
51 |
52 | #### How to Submit Your Draft Guide
53 | * When your file is ready to be added to the repository, enter a title and quick description of your new page in the 'Commit new file' box at the bottom of the 'New file' page.
54 | * Within this box are two radio button options. Be sure to select the 'Create a new branch for this commit and start a pull request' radio button, so that your content can go through the proper review process before going live on the Playbook site.
55 | * Click the 'Propose new file' button. This will route you to the 'Open a pull request' page.
56 | * Within the information box on the pull request page, create a title that reflects the nature of the content added, as well as a reference to the issue number that was opened stating the need for this topic, such as 'Issue #39 - Created a new page for how to enable PIV for logical access', entering any other relevant notes within the comment field.
57 | * Click the 'Create pull request' button. This will send a notification to the site administrators that a new page has been added, which they can then review.
58 | * Be sure to follow the progress of the issue that you opened stating what content you intended to add! This will allow you to see if others have comments or contributing information for the process, or if the site admin has responded with an updated status on your new page.
59 |
60 | If you have a question during the contribution process, do not hesitate to open an issue requesting clarification. You can also email us at icam at gsa dot gov.
61 |
--------------------------------------------------------------------------------
/Gemfile:
--------------------------------------------------------------------------------
1 | source 'https://rubygems.org'
2 | gem 'jekyll'
3 | gem 'uswds-jekyll', :git => 'https://github.com/18F/uswds-jekyll.git'
4 | gem 'jekyll-redirect-from'
5 |
--------------------------------------------------------------------------------
/ISSUE_TEMPLATE.md:
--------------------------------------------------------------------------------
1 | #### Description of Issue: ####
2 |
3 |
4 | #### Details of Issue: ####
5 |
6 |
7 | #### References (Docs, Links, Files): ####
8 |
9 |
10 | #### If a New Page or Content is Needed, Expected Outcomes: ####
11 |
12 |
13 | #### Link to the Content Page for Contributors: ####
14 |
--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: LICENSE
4 | permalink: /license/
5 | ---
6 |
7 | This project is in the public domain within the United States.
8 |
9 | We waive copyright and related rights in the work worldwide through the CC0 1.0 Universal public domain dedication.
10 |
11 | ## CC0 1.0 Universal Summary
12 |
13 | This is a human-readable summary of the [Legal Code (read the full text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode).
14 |
15 | ### No Copyright
16 |
17 | The person who associated a work with this deed has dedicated the work to the public domain by waiving all of his or her rights to the work worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
18 |
19 | You can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.
20 |
21 | ### Other Information
22 |
23 | In no way are the patent or trademark rights of any person affected by CC0, nor are the rights that other persons may have in the work or in how the work is used, such as publicity or privacy rights.
24 |
25 | Unless expressly stated otherwise, the person who associated a work with this deed makes no warranties about the work, and disclaims liability for all uses of the work, to the fullest extent permitted by applicable law. When using or citing the work, you should not imply endorsement by the author or the affirmer.
26 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | This work is in beta stage and is led by the GSA FICAM Program in coordination with the ICAM Subcommittee of the Federal CIO Council.
2 |
3 | # FICAM Guides
4 | This repository is for the collaborative development of the Federal Identity, Credential, and Access Management **PIV Guides**:
5 |
6 | * information and step-by-step guidance on how to use and enable applications to use PIV.
7 |
8 | Please consider contributing your lessons learned, code, scripts, how-to guides, and links to government or open source repositories with handy tools.
9 |
10 | ## General Practices
11 | This content is Vendor neutral. Marketing materials for Commercial Products should not be submitted. If you would like to contribute a page or content which includes Commercial Products and a specific references for development and engineering, please review the Commercial Product trademark or copyright guides from the Product Vendor and reference those guides in your Pull Request.
12 |
13 | ## Plain Language
14 | Contributors should consider the audience when submitting content. Plain language benefits a broad audience. Review your proposed content for use of acronyms and specialized jargon before submitting.
15 |
16 | ## Roadmap
17 | The expected roadmap for these guides:
18 |
19 | * On-going contributions and collections
20 | * Applications and patterns
21 | * Developer tools and tips
22 | * User tools and tips
23 |
24 | ## How to Contribute
25 | For information on how to contribute to the site, review [Contributing](CONTRIBUTING.md/). The source repository exists [here](https://github.com/GSA/piv-guides/).
26 |
27 | Direct changes and line edits to the content may be submitted through a pull request by clicking 'Edit this page'. You do not need to install any software to submit content. You can use GitHub's in-browser editor to edit files and submit a pull request for your changes to be merged.
28 |
29 | ### Public domain
30 |
31 | This project is in the worldwide [public domain](LICENSE.md).
32 |
33 | > This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/).
34 | >
35 | > All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.
36 |
37 | ### Special Thanks
38 | This site is based on GitHub Pages and Jekyll templates.
39 |
40 | Special thanks to the teams at [18F](https://18f.gsa.gov/), [18F Pages](https://pages.18f.gov/), and [US Digital Services Playbooks](https://playbook.cio.gov/) for their open and transparent model which benefits citizens, government, and technology.
41 |
--------------------------------------------------------------------------------
/_config.yml:
--------------------------------------------------------------------------------
1 | # Site settings
2 | title: PIV Usage Guides
3 | name: PIV Usage Guides
4 | email: icam@gsa.gov
5 | author:
6 | name: FICAM
7 | description: PIV Guidance
8 | highlighter: rouge
9 | repo_url: https://github.com/GSA/piv-guides
10 | baseurl: '/piv-guides'
11 | branch: federalist-pages
12 | # Federalist overwrites the site.branch value when deploying
13 | # the site.branch was used in dynamic link generation for objects like Edit Page
14 | # we want the dynamic links to send users to the staging branch. Adding new site variable to ensure federalist doesn't overwrite.
15 | editbranch: staging
16 |
17 | plugins:
18 | - jekyll-redirect-from
19 |
20 | #ficam_playbooks_url: /ficam-guides/
21 |
22 | theme: uswds-jekyll
23 | search_site_handle: idmprod
24 |
25 | # Links
26 | # List links that you would like to appear on the top navigation bar here
27 | navbar:
28 | - title: IDmanagement.gov
29 | description: Idmanagement.gov
30 | url: https://www.idmanagement.gov
31 | - title: Federal ICAM Architecture
32 | description: Federal ICAM Architecture
33 | url: https://arch.idmanagement.gov
34 | #- title: PIV Guides
35 | # description: PIV Guides
36 | # url: https://piv.idmanagement.gov
37 | - title: Federal PKI Guides
38 | description: Federal PKI Guides
39 | url: https://fpki.idmanagement.gov
40 | - title: Physical Access Control Guide
41 | description: Physical Access Control Guides
42 | url: https://pacs.idmanagement.gov
43 | - title: Program Management Guide
44 | description: Program Management Guide
45 | url: https://pm.idmanagement.gov
46 |
47 |
48 |
49 | # Build settings
50 | markdown: kramdown
51 |
52 | kramdown:
53 | input: GFM
54 | syntax_highlighter: rouge
55 |
56 | exclude:
57 | - bin
58 | - config.rb
59 | - Gemfile
60 | - Gemfile.lock
61 | - gems
62 | - Procfile
63 | - Rakefile
64 | - README.md
65 | - script
66 | - vendor
67 |
68 | navigation:
69 | - text: Introduction
70 | url: ''
71 | internal: true
72 | coll: false
73 | - text: Basics of a PIV
74 | url: elements
75 | internal: true
76 | coll: false
77 | - text: Getting Started
78 | url: start
79 | internal: true
80 | coll: false
81 | - text: Details of a PIV
82 | url: details
83 | internal: true
84 | coll: false
85 | - text: Identifiers in a PIV
86 | url: identifiers
87 | internal: true
88 | coll: false
89 | - text: Certificate Trust
90 | url: pivcertchains
91 | internal: true
92 | coll: false
93 | - text: Network Authentication
94 | url: networkconfig/
95 | internal: true
96 | coll: true
97 | collname: networkconfig
98 | - text: Engineering Guides
99 | url: engineering/
100 | internal: true
101 | coll: true
102 | collname: engineering
103 | - text: User Guides
104 | url: userguides/
105 | internal: true
106 | coll: true
107 | collname: userguides
108 | #- text: Script and Code Samples
109 | # url: code
110 | # internal: true
111 | # coll: false
112 | - text: Contribute
113 | url: contribute
114 | internal: true
115 | coll: false
116 |
117 | collections:
118 | networkconfig:
119 | label: "Network Authentication"
120 | permalink: /networkconfig/:path/
121 | output: true
122 | ## userconfig:
123 | ## label: "Administrator Guides"
124 | ## permalink: /userconfig/:path/
125 | ## output: true
126 | engineering:
127 | label: "Engineering Guides"
128 | permalink: /engineering/:path/
129 | output: true
130 | userguides:
131 | label: "User Guides"
132 | permalink: /userguides/:path/
133 | output: true
134 |
135 | include:
136 | - _stylesheets
137 | - _javascript
138 |
139 |
140 |
141 | # Custom site configuration
142 | lang: en
143 |
--------------------------------------------------------------------------------
/_engineering/00_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Introduction to PIV Engineering Guides
4 | permalink: /engineering/
5 | collection: engineering
6 | redirect_to: https://playbooks.idmanagement.gov/piv/engineer/
7 | ---
8 |
9 | PIV engineering guides are for engineers configuring agency infrastructure, servers and enterprise applications for authentication. The guides are focused on US Federal Government implementations.
10 |
11 | {% include alert-info.html heading="Are you trying to solve a problem?" content="The same problem has likley been encountered or solved by your colleagues. Engineering guides exist across government. The purpose for this site is to organize tips from agency engineers, help link to .gov or .mil information available, and provide a common site for collaboration." %}
12 |
13 | You can find additional guides across agency websites by using a few simple methods:
14 |
15 | 1. Search on the Internet: include the _server_ or _application_ or _topic_ and add "+PIV +CAC"
16 | 1. Search on the Internet: include the _server_ or _application_ or _topic_ and add "+x509"
17 | 1. Search on Max.gov: [Max.gov](https://max.gov){:target="_blank"} requires you to login. Try searching for the topic or guide.
18 |
19 | If you don't find what you're looking for, open an [Issue]({{site.repo_url}}/issues){:target="_blank"}. We can help look through the archives of guides that haven't been posted yet or help you send a request to the government listserves.
20 |
21 | {% include alert-info.html heading="Application integrations using federation protocols" content="We will be migrating the application integration patterns from the Federal ICAM Roadmap and working group documentation - including the use of Security Assertion Markup Language and Open ID Connect - to a set of guides soon!" %}
22 |
23 | Your contributions are encouraged and welcome! You can [contribute]({{ site.baseurl }}/contribute/) to this effort or open an [Issue]({{site.repo_url}}/issues) to discuss a need you may have for a guide.
24 |
--------------------------------------------------------------------------------
/_engineering/01_firefox.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Configure Firefox
4 | collection: engineering
5 | permalink: engineering/firefox/
6 | redirect_to: https://playbooks.idmanagement.gov/piv/engineer/firefox/
7 | ---
8 |
9 | You may need to configure Firefox to enable your agency users to log into web applications using their PIV credentials. This can be tricky because Firefox supports a protocol (PKCS #11) that is not always natively supported by operating systems or OS default drivers.
10 |
11 | This guide will help you to configure Firefox by using an open source software package. In addition to open source solutions, commercial software may be used.
12 |
13 | * [Install and Test OpenSC](#install-and-test-opensc)
14 | * [Configure Firefox](#configure-firefox)
15 |
16 | {% include alert-info.html heading="PKCS #11" content="You are interested in learning more? Search for PKCS #11 for other resources available." %}
17 |
18 | ## Install and Test OpenSC
19 | OpenSC will enable a user's PIV credential to work with Firefox and some signing and encryption applications.
20 |
21 | First, you will need to install and test **OpenSC**. OpenSC has installers for multiple operating systems, including Windows, macOS, and Linux flavors. The installers can be downloaded directly from GitHub and the OpenSC wiki:
22 |
23 | * [View instructions and installation procedures for OpenSC](https://github.com/OpenSC/OpenSC/wiki/){:target="_blank"}
24 |
25 | When installing OpenSC, you need to consider some items that are specific for the U.S. Government:
26 |
27 | * You will need to download and install either the 64-bit or 32-bit version of OpenSC, depending on the OS.
28 | * You do not need to install the full packages for OpenSC.
29 | * You can limit the packages for distribution to enterprise workstations to just support PKCS #11.
30 | * You can push the packages to the enterprise workstations using your enterprise configuration management tools.
31 |
32 | ## Configure Firefox
33 |
34 | ### Load New Security Device
35 |
36 | Launch **_Firefox_** and load a new _Security Device_ (i.e., the Security Device is your PIV credential) using the OpenSC PKCS #11 driver:
37 | * From the _Firefox_ taskbar, click the _Options_ icon ("gear" shape).
38 | * Click the _Privacy & Security_ menu from the left-hand navigation.
39 | * Scroll down until you see the _Certificates_ heading, and then click _Security Devices_.
40 | * At the _Device Manager_ window, click the _Load_ button and enter this module name: _OpenSC PKCS#11 Module_.
41 | * Select the directory where the OpenSC PKCS #11 driver is located. The default locations are:
42 |
43 | | **OS** | **Default Driver Location** | **Driver File Name** |
44 | | ----- | -------| -------|
45 | | **Windows** | C:\Windows\System32 | pkcs11.dll |
46 | | **macOS** | /Library/OpenSC/lib/ | pkcs11.so |
47 | | **Linux** | /usr/lib/ | pkcs11.so |
48 | | **Ubuntu** | /usr/lib/x86_64-linux-gnu/ | opensc-pkcs11.so |
49 |
50 | * Click _Open_ and verify that the module has been loaded. Then, click _OK_ to return to the _Privacy & Security_ options.
51 |
52 | ### Import PIV Issuer Certificate
53 | * Click the _View Certificates_ button. If prompted, enter your PIV credential PIN.
54 | * Click the _Authorities_ tab from the top navigation.
55 | * Click the _Import_ button to import a copy of your PIV credential issuer's Certification Authority (CA) certificate. When prompted, trust the certificate for identifying websites _and_ email users.
56 | * Click _OK_ and restart _Firefox_.
57 |
58 | ### Test Authentication
59 | * Browse to a web application that requires authentication with a PIV credential. A common web application to use as a test is [MAX.gov](https://max.gov/maxportal/home.action){:target="_blank"}. (**Note:** You'll need to have an existing MAX.gov account for this to work.)
60 | * Firefox will prompt you to enter your PIV credential PIN and select a certificate for authentication.
61 |
--------------------------------------------------------------------------------
/_includes/alert-error.html:
--------------------------------------------------------------------------------
1 |
43 |
44 | {% include analytics.html %}
45 |
46 |
47 |
--------------------------------------------------------------------------------
/_networkconfig/00_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Introduction to Network Authentication Guides
4 | permalink: /networkconfig/
5 | collection: networkconfig
6 | redirect_to: https://playbooks.idmanagement.gov/piv/network/
7 | ---
8 |
9 | These Network Authentication guides will help you configure your Windows _network domain_ for smartcard logon using PIV credentials.
10 |
11 | There are many useful pages and technical articles available online that include details on configurations and using generic smartcards. The information presented here addresses common questions and configurations **specific** to the US Federal Government, **PIV** smartcards, and US federal civilian agency Certification Authorities.
12 |
13 | {% include alert-info.html heading = "Teamwork" content="Work with your Network Engineers, Domain Admins, Account Management, and Information Security colleagues to review the information, perform the configurations, and troubleshoot any issues together." %}
14 |
15 | ## Pre-Launch Checklist
16 |
17 | Check the following items **before** reviewing these network guides and lessons learned:
18 |
19 | 1. Users have PIV credentials and PIV card readers
20 | 1. You are using Microsoft Active Directory to manage your Windows network
21 | 1. Domain Controllers are Microsoft 2008 R2 or 2012 or above
22 | 1. User workstations **are joined** to your network and are Windows 7, Windows 8, or Windows 10-based
23 |
24 | ## Configuration Checklist
25 |
26 | There are five configuration categories to review with your colleagues. All five includes steps that must be completed and it's best to review and complete in this order:
27 |
28 | - [Network Ports and Protocols]({{site.baseurl}}/networkconfig/ports/)
29 | - [Domain Controllers]({{site.baseurl}}/networkconfig/domaincontrollers/)
30 | - [Trust Stores]({{site.baseurl}}/networkconfig/trustedroots/)
31 | - [Account Linking: Associating PIV credentials with User Accounts]({{site.baseurl}}/networkconfig/accounts/)
32 | - [Group Policies and Enforcement]({{site.baseurl}}/networkconfig/grouppolicies/)
33 |
34 |
35 | There are three additional guides:
36 |
37 | - [Network Tuning]({{site.baseurl}}/networkconfig/tuning/)
38 | - [Local Certification Authority]({{site.baseurl}}/networkconfig/localca/)
39 | - [Authentication Assurance]({{site.baseurl}}/networkconfig/ama/)
40 |
41 | We want to add additional information for installing online certificate status protocol (OCSP) services, common errors and troubleshooting, and configuring MacOSX and other operating systems.
42 |
43 | Submit an [Issue]({{site.repo_url}}/issues) to identify information that would be helpful to you, or consider contributing a page to these guides with your lessons learned.
44 |
45 |
46 |
--------------------------------------------------------------------------------
/_networkconfig/01_portsprotocols.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Network Ports and Protocols
4 | collection: networkconfig
5 | permalink: networkconfig/ports/
6 | redirect_to: https://playbooks.idmanagement.gov/piv/network/ports/
7 | ---
8 |
9 | Your workstations, servers, network domain controllers and applications need to validate the [revocation]({{site.baseurl}}/pivcertchains#revocation) status of the PIV certificates and all intermediate certification authority certificates. In addition, the [certificate chain]({{site.baseurl}}/pivcertchains#certificate-chains) path building may retrieve and download the intermediate certification authority certificates.
10 |
11 | The validation occurs in real-time (with some caching) and requires ensuring network traffic is open and available to the destination web services, ports, and protocols. Many US Federal agencies implement a layered network security model with demilitarized zones (DMZs), proxies and Trusted Internet Connections (TICs) to monitor, defend and protect the networks, applications and users.
12 |
13 | This page includes information to help you verify your network configurations:
14 |
15 | - [Verifying and Troubleshooting](#verifying-and-troubleshooting)
16 | - [Web services for validating PIV certificates](#web-services-for-validating-piv-certificates)
17 | - [Web services for the Federal Public Key Infrastructure](#web-services-for-the-federal-public-key-infrastructure)
18 |
19 | ## Verifying and Troubleshooting
20 | Non-accessible endpoints for the web services due to firewalls blocking access is a very common root cause for errors. If you encounter user errors including "Cannot validate" and similar domain controller errors, your first troubleshooting step should be to verify your network and access.
21 |
22 | {% include alert-info.html heading = "nslookup and certutil are your friendly tools" content="Restricted or denied access to internet web services including the OCSP and CRL web services used in the certificate validations lead to common errors and issues. Collaborate with your Network Engineers to review the web services, IP addresses, ports and protocols, and verify access from all local and wide area network segments." %}
23 |
24 | Troubleshooting if the web services endpoints are accessible or blocked by firewall rules is simple to begin. You have the basic four utility tools for troubleshooting:
25 |
26 | - certutil (Microsoft)
27 | - openssl
28 | - nslookup
29 | - tracert
30 |
31 |
32 | For the typical network domain, _certutil_ will be your best option to identify a number of possible root causes. There are many options available in the _certutil_ utility tool, and two are covered here.
33 |
34 | Export your _public_ key and certificate for PIV Authentication to a .cer file (mypiv_auth.cer), and run the following command in a command line from workstation(s) *and* domain controller(s):
35 |
36 | ```
37 | certutil -verify -urlfetch mypiv_auth.cer >>verify_piv.txt
38 | ```
39 |
40 | The text file output will include a *full* check against all options for CRLs, OCSP, intermediate certificates to verify a trust chain, and the root (COMMON). Review all items and ensure at least one successful verification message is included for _each check_. You may see errors for the LDAP verifications and these can be ignored if a CRL or OCSP check is successful.
41 |
42 | {% include alert-warning.html heading = "Time is important" content="When reviewing the verification messages, you should pay careful attention to the time. For example, if a CRL file is not downloaded in under 15 seconds then it is very likely you will encounter network authentication errors and will need to perform some tuning." %}
43 |
44 | There is also a graphical user interface to help perform these verification checks.
45 |
46 | ```
47 | certutil -v -url mypiv_auth.cer
48 | ```
49 | The graphical user interface allows you to check OCSP, CRL, and AIA (intermediate certificate retrievals).
50 |
51 | ## Web services for validating PIV certificates
52 |
53 | [Revocation]({{site.baseurl}}/pivcertchains#revocation) status is validated using using either Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRLs). To meet your initial network requirements, you should ensure the OCSP and CRL URLs included in *your agency* users' [PIV Authentication certificates]({{site.baseurl}}/details/#viewing-your-piv-credential) are accessible from all workstations and domain controllers.
54 |
55 | | Type | Certificate Extension | Protocol (Port) | Considerations|
56 | | ----- | -------| -------| ------|
57 | | OCSP | Authority Information Access | HTTP (80) | All PIV certificates have OCSP references and OCSP URLs which are internet accessible and provided by the issuing certification authority. Intermediate certification authorities are **not** required to have OCSP available for the _intermediate_ certificates.|
58 | | CRL | CRL Distribution Point (CDP) | HTTP (80) | All PIV certificates have CRL capabilities provided by the issuing certification authority. All intermediate certification authority certificates have CRL capabilities. CRL files have an expiration time which varies between 6 hours to 18 hours. CRL file sizes range from a few kilobytes to over 30 megabytes (MB).
59 |
60 | Lightweight Directory Application Protocol (LDAP) for retrieving information is not preferred and has been increasingly deprecated therefore LDAP is not included.
61 |
62 | There are dozens of OCSP and CRL URLs for *all* issued PIV credentials. If you have users with PIV credentials from other agencies or partners, identifying all the URLs to verify against your network configurations will be more complex.
63 |
64 | ## Web services for the Federal Public Key Infrastructure
65 |
66 | The Federal Common Policy Certification Authority (COMMON) is the root certification authority and has web services to publish both [certificate chains]({{site.baseurl}}/pivcertchains#certificate-chains) (p7b files) and [CRLs](../../pivcertchains#revocation) for all intermediate certification authorities which the root signs.
67 |
68 | To enable communications with these Federal Common Policy Certification Authority services, including those currently operational and any expansion, you should verify outbound communications to the base domain of http.fpki.gov. For example, a successful connection to http://http.fpki.gov/fcpca/fcpca.crt will download a copy of the Federal Common Policy CA certificate.
69 |
70 | You should consider allowing two protocols (port): HTTP (80) and DNS (53). Although the web services for publishing CRLs are not currently served over HTTPS (443), you may want to allow HTTPS (443) to future proof for any expansion.
71 |
--------------------------------------------------------------------------------
/_networkconfig/02_domaincontrollers.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Domain Controllers
4 | collection: networkconfig
5 | permalink: networkconfig/domaincontrollers/
6 | redirect_to: https://playbooks.idmanagement.gov/piv/network/dc/
7 | ---
8 |
9 | To use smartcards and PIV credentials for network authentication, all Domain Controllers need to have Domain Controller authentication certificates.
10 |
11 | {% include alert-info.html heading = "Devices authenticate too!" content="When your users are using certificates to authenticate to the network, the Domain Controllers are also authenticating as devices using certificates. Each works together to create secure connections. To learn more, search for online resources that discuss Public Key Cryptography for Initial Authentication (PKINIT) protocols." %}
12 |
13 | This page contains information on domain controller certificate profiles, and issuing domain controller certificates.
14 |
15 | - [Domain Controller certificate profiles](#domain-controller-certificate-profiles)
16 | - [Issue Domain Controller certificates](#issue-domain-controller-certificates)
17 |
18 | ## Domain controller certificate profiles
19 |
20 | Domain Controller certificates must be issued with a set of specific extensions and values. The certificate profile for each Domain Controller must meet the following requirements:
21 |
22 | - The certificate **Key Usage** extension must contain:
23 |
24 | Digital Signature, Key Encipherment
25 |
26 | - The certificate **Enhanced Key Usage** extension must contain:
27 |
28 | Client Authentication (1.3.6.1.5.5.7.3.2)
29 | Server Authentication (1.3.6.1.5.5.7.3.1)
30 |
31 | - The certificate **Subject Alternative Name** extension must contain the Domain Name System (DNS) qualifier and fully qualified Domain controller name. For example:
32 |
33 | DNS Name=controller1.intranet.agency.gov
34 |
35 | - The certificate **Subject Alternative Name** must also contain the Domain Controller's Global Unique Identifier (GUID) (i.e., for the "Domain Controller object").
36 |
37 | * To determine the Domain Controller's GUID, start **Ldp.exe** and locate the **domain-naming context**.
38 | * Double-click on the **name of the Domain Controller** whose GUID you want to view.
39 |
40 | > The list of attributes for the Domain Controller object contains **"Object GUID" followed by a long number**. The number is the object GUID. For example:
41 |
42 | Other Name: 1.3.6.1.4.1.311.25.1 = ac 4b 29 06 bb d6 5d 4f e3 9c 4c ab c3 6a 55 d9
43 |
44 | > The Domain Controller's certificate must be installed in the domain controller's local computer's **_personal certificate store_**.
45 |
46 | ## Issue Domain Controller certificates
47 |
48 | Agencies should issue domain controller certificates from an only locally trusted or enterprise trusted certification authority (CA), which may be agency operated or commercially sourced. If you have any questions, collaborate with your Chief Information Security Officer (CISO) or Information Security office.
49 |
50 | If you have an existing local enterprise certification authority, [here are some tips.]({{site.baseurl}}/networkconfig/localca/#configure-certificate-template-for-domain-controller)
51 |
52 | If your agency does not have an only locally trusted CA, ensure the proper management and security protections are enabled before [setting one up]({{site.baseurl}}/networkconfig/localca/). Your Chief Information Security Officer (CISO) must have awareness and oversight established for the certification authority management.
53 |
--------------------------------------------------------------------------------
/_networkconfig/03_managingtrustroots.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Trust Stores
4 | collection: networkconfig
5 | permalink: networkconfig/trustedroots/
6 | redirect_to: https://playbooks.idmanagement.gov/piv/network/trust-stores/
7 | ---
8 |
9 | You want your Active Directory domain, including servers and workstations, to trust user's PIV credentials for authentication. Trust and certificate chains are reviewed in the [Certificate Trust](../../pivcertchains) overview, and this page includes information on configuring your Active Directory domain.
10 |
11 | There are two trust stores to consider for your Active Directory domain:
12 |
13 | - [Trusted Root Certification Authorities Trust Store](#trusted-root-certification-authorities-trust-store)
14 | - [Enterprise NTAuth Trust Store](#enterprise-ntauth-trust-store)
15 |
16 | ## Trusted Root Certification Authorities Trust Store
17 | You need to publish the Federal Common Policy Certification Authority (COMMON) [root certificate]({{site.baseurl}}/pivcertchains/#download-root-and-intermediate-certificates) to the Trusted Root Certification Authorities trust stores on all your workstations, devices, servers, and domain controllers.
18 |
19 | It is recommended to add the COMMON [root certificate]({{site.baseurl}}/pivcertchains/#download-root-and-intermediate-certificates) to a Group Policy Object (GPO) to publish it as a _trusted root_ for all domain users and computers. It is also possible to install it via command line, however, keep in mind that the way a certificate is added to a store (Trusted Root, NTAuth, etc.), is the way the certificate has to be removed from the store in the future. For example, an administrator cannot add certificates locally to a system via command line, and then remove the certificate later using a GPO.
20 |
21 | Additionally, the Root CA for the domain controller certificates must also be in the Trusted Root Certification Authorities trust store on all your workstations, devices, servers, and domain controllers for which the domain controller will be authorizing smart card logon.
22 |
23 | ## Enterprise NTAuth Trust Store
24 | The Enterprise NTAuth trust store is used by your Active Directory domain to determine which certification authorities to trust for issuing certificates that are authorized for smart card logon. The certificate for the Issuing CA of both the smart card certificate and the Domain Controller certificate must be published to the Enterprise NTAuth store. If your agency will accept PIV credentials issued by another agency or partner, you will need to include all possible Issuing CAs into the Enterprise NTAuth store.
25 |
26 | Use certutil to publish a certificate to the NTAuth store. This will require Enterprise Admin permissions for the domain.
27 |
28 | To publish / add a certificate to NTAuth:
29 |
30 |
31 | ```
32 | certutil –dspublish –f IssuingCaFileName.cer NTAuthCA
33 | ```
34 |
35 | To view all certificates in NTAuth:
36 |
37 | ```
38 | certutil –viewstore –enterprise NTAuth
39 | ```
40 |
41 | To remove certificates in NTAuth:
42 |
43 | ```
44 | certutil –viewdelstore –enterprise NTAuth
45 | ```
46 |
47 | Depending on your Active Directory topology, it could take several hours to propagate any changes throughout the agency. To propagate from the domain controller(s) to the enterprise, a group policy update can be forced to an OU via Group Policy Management Console. If troubleshooting a single computer, running either of the following commands, from an elevated command prompt, on the problem computer should work:
48 |
49 | ```
50 | gpupdate /force
51 | ```
52 |
53 | or
54 |
55 | ```
56 | certutil -pulse
57 | ```
58 |
59 | However, the registry containing this information may not be updated if your agency has the Certificate Services Client - Auto-Enrollment disabled.
60 |
61 | In this case, an administrator can add it locally with the command:
62 |
63 | ```
64 | certutil -enterprise -addstore NTAuth IssuingCaFileName.cer
65 | ```
66 |
67 |
--------------------------------------------------------------------------------
/_networkconfig/04_accounts.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Account Linking
4 | collection: networkconfig
5 | permalink: networkconfig/accounts/
6 | redirect_to: https://playbooks.idmanagement.gov/piv/network/account/
7 | ---
8 |
9 | For your network domains, you will need to associate the PIV credential to the user accounts. This is the [account linking]({{site.baseurl}}/identifiers) information discussed in the Identifiers section. The most common questions for US Federal Government and using PIV for network authentication are related to linking a PIV credential to network user accounts.
10 |
11 | This page includes the information on the Identifiers for account linking in network authentication:
12 |
13 | - [Comparing Principal Name versus altSecurityIdentities options for the network](#comparing-principal-name-versus-altsecurityidentities-options)
14 | - [Implementing altSecurityIdentities and PIV certificate mapping](#implementing-altsecurityidentities-and-piv-certificate-mapping)
15 |
16 |
17 | ## Comparing Principal Name versus altSecurityIdentities options
18 | There are two attributes in your network domain directories to choose from:
19 |
20 | - Principal Name
21 | - altSecurityIdentities - _recommended_
22 |
23 | For the Principal Name approach:
24 |
25 | - Each PIV credential can only be associated with ONE account
26 | - The User Principal Name value from the _Subject Alternate Name_ in the PIV authentication certificate is required to be populated during PIV credential issuance
27 | - There is no flexibility for associating the PIV credential to separate privileged accounts
28 | - There is less flexibility for accepting PIV credentials issued by other government agencies or partners, including PIV-Interoperable credentials
29 |
30 | For the altSecurityIdentities approach:
31 |
32 | - Each PIV credential can be associated with MORE THAN ONE account
33 | - Six options from the certificate can be used to map to each account
34 | - This provides flexibility for managing privileged accounts and using one PIV credential to authenticate to more than one account
35 | - Users are presented a second _User Name Hint_ field during network authentication to identify which account the user wants to access
36 | - There is more flexibility for accepting PIV credentials issued by other government agencies or partners, including PIV-Interoperable credentials
37 |
38 |
39 | {% include alert-info.html heading = "PIV Certificates and UPN values" content="It is not required that you update your PIV credentials and certificates to not have a UPN value populated to use the altSecurityIdentities approach. This is a common misconception due to incorrect information found elsewhere online. If your PIV Authentication certificates do contain a UPN value in the Subject Alternative Name extension, altSecurityIdentities will still work for you, your agency, and your users." %}
40 |
41 |
42 | ## Implementing altSecurityIdentities and PIV certificate mapping
43 |
44 | If you have a large network with many domains, you will want to carefully plan for a migration from solely using Principal Name to the altSecurityIdentities approach.
45 |
46 | You may find that you have many applications that rely upon the Principal Name values only. You can still populate the Principal Name with the PIV Authentication certificate User Principal Name value for one of the user accounts (the non-privileged accounts) to maintain those applications but disable user principal name mapping for _network authentication_.
47 |
48 | You have three steps to implement altSecurityIdentities and PIV certificate mapping:
49 |
50 | - [Disable User Principal Name Mapping](#disable-user-principal-name-mapping)
51 | - [Link the PIV Authentication Certificate](#link-the-piv-authentication-certificate)
52 | - [Enable User Name Hints](#enable-user-name-hints)
53 |
54 | #### Disable User Principal Name Mapping
55 | To implement the altSecurityIdentities approach, you will need to disable _subject alternate name_ for the network domain. This setting simply tells your network domain: _I don't always want to use the Subject Alternate Name values for my user certificates._
56 |
57 | This is a registry setting and you must disable this setting on all domain controllers:
58 |
59 | - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
60 | - Change the value of the DWORD UseSubjectAltName to 00000000
61 | - [LINK to External MSDN Article to Disable UPN Mapping](https://technet.microsoft.com/en-us/library/ff520074(WS.10).aspx){:target="_blank"}
62 |
63 | Management of registry settings should use group policy objects or other centralized management options,
64 |
65 | #### Link the PIV Authentication Certificate
66 | You need to link the PIV Authentication certificate to each of the user's accounts. You implement this by populating one of the PIV Authentication certificate identifiers to the altSecurityIdentities attribute for each account.
67 |
68 | - You have six options from the certificates to use
69 | - A common challenge is determining how the certificate values should be mapped. A table is shown below with options and example values which closely resemble a production format for PIV Authentication.
70 |
71 |
72 | | Options | Tag | Example | Considerations |
73 | | ------------- |-------------| -----|-----|
74 | | Subject | X509:\ | X509:\C=US,O=U.S. Government,OU=Government Agency,CN=JANE DOE OID.0.9.2342.19200300.100.1.1=25001003151020 | For certificates which assert the UID identifier (0.9.2342.19200300.100.1.1) or other object identifier in the common name, the identifier is prepended with the _OID_ qualifier. |
75 | | Issuer and Subject | X509:\\ | X509:\C=US,O=U.S. Government,OU=Certification Authorities,OU=Government Demonstration CA\C=US,O=U.S. Government,OU=Government Agency,CN=JANE DOE OID.0.9.2342.19200300.100.1.1=47001003151020 | Note the spaces carefully when testing and machine readable formats of the certificate extensions versus the human readable formats |
76 | | Issuer and Serial Number | X509:\\ | X509:\C=US,O=U.S. Government,OU=Certification Authorities,OU=Government Demonstration CA\46a65d49 | Serial number is reversed byte order from human readable version, starting at most significant byte |
77 | | Subject Key Identifier | X509:\ | X509:\df2f4b04462a5aba81fec3a42e3b94beb8f2e087 | Not generally recommended; may be difficult to manage |
78 | | SHA1 hash of public key| X509:\ | X509:\50bf88e67522ab8ce093ce51830ab0bcf8ba7824 | Not generally recommended; may be difficult to manage |
79 | | RFC822 name | X509:\ | Not recommended | Not recommended; not commonly populated in PIV Authentication certificates |
80 |
81 | #### Enable User Name Hints
82 | You need to enable _user name hints_ for your network domain. This will modify the logon prompts for _Windows_ workstations and servers joined to the network domain. Your users will be prompted to provide both the PIV credential PIN value and a User Name Hint value.
83 |
84 | Username Hint Setting:
85 | For Windows 2008 R2:
86 | - _Computer Configuration_ -> _Policies_-> _Administrative Templates_ -> _Windows Components_, and then expand _Smart Card_.
87 | - Select _Allow user name hint_
88 |
89 | For Windows 2012:
90 | - _Computer Configuration_ -> _Administrative Templates_ -> _Windows Components_, and then expand _Smart Card_.
91 | - Select _Allow user name hint_
92 |
93 | Management of smart card settings should be deployed using a group policy object for the domain.
94 |
--------------------------------------------------------------------------------
/_networkconfig/05_grouppolicies.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Group Policies and Enforcement
4 | collection: networkconfig
5 | permalink: networkconfig/grouppolicies/
6 | redirect_to: https://playbooks.idmanagement.gov/piv/network/group/
7 | ---
8 |
9 | The US Government publishes the [United States Government Configuration Baseline (USGCB)](http://usgcb.nist.gov/usgcb_content.html){:target="_blank"}{:rel="noopener noreferrer"} for use by Executive Branch agencies to promote uniform configurations for [commonly used operating systems](https://cio.gov/cio-council-streamlines-configuration-baseline-process/){:target="_blank"}{:rel="noopener noreferrer"}. The USGCB configuration guidelines for specific operating systems include references to some configurations related to smartcard (PIV) logon and should be referenced first.
10 |
11 | The information on this page is to answer questions and identify the most commonly used configuration options. For a full reference of options for each operating system, please refer to configurations guides published by other sources online.
12 |
13 | * [Machine Based Enforcement versus User Based Enforcement](#machine-based-enforcement-versus-user-based-enforcement)
14 | * [Defining the policies for Machine Based Enforcement or User Based Enforcement](#defining-the-policies-for-machine-based-enforcement-or-user-based-enforcement)
15 |
16 | ## Machine Based Enforcement versus User Based Enforcement
17 |
18 | There are two options for requiring users to use PIV credentials to authenticate to the network domain:
19 |
20 | * Machine Based Enforcement (MBE)
21 | * User Based Enforcement (UBE)
22 |
23 | These options are controlled by group policy applied to either Machine or User objects in your network domain. There is planning required to move to full User Based Enforcement and agencies are often using a combination of both Machine and User enforcement in their deployments.
24 |
25 | {% include alert-warning.html heading = "User Based Enforcement" content="The user's password will no longer be known by the user. Look for agency internal applications that are still using Username and Password and performing Form Based Authentication against the network directories. Fix these using Kerberos, SAML or direct x509 authentication." %}
26 |
27 | Impacts and considerations are identified to help you plan and execute according to your agency network and user needs.
28 |
29 | | Type | Impacts | Considerations |
30 | | ----- | -------| -------|
31 | | Machine Based Enforcement | The user is required to use their PIV credential to authenticate to each device where the policy is applied. | The user password is maintained. |
32 | | User Based Enforcement | The password stored for the user is removed, and changed to a long hash value unknown to the user. Your users no longer have passwords for the network. | Any applications which were implemented to prompt your users for a username and password and which are using your network domain directories will no longer be accessible. |
33 |
34 | Your applications impacted by User Based Enforcement are designed or deployed using: a) Form Based or Basic Authentication, or 2) LDAP simple binds. The user will be presented with the application form to enter a username and password and the user will no longer have the password.
35 |
36 | You want to analyze your applications and identify which are configured to use your users' network domain passwords. There are methods to fix the applications by enabling Kerberos, SPNEGO (web applications), direct x509 authentication (client certificate authentication), or the SAML and Open ID Connect (OIDC) protocols. These topics will be covered in the Applications section of the guides which are in-development and we invite *all* to contribute to!
37 |
38 | ## Defining the policies for Machine Based Enforcement or User Based Enforcement
39 | The setting to enforce PIV logon is controlled by **scforceoption** in your network domain user and workstation policies.
40 |
41 | - Machine Based Enforcement is when you apply the **scforceoption** to a workstation or server object in your network domain.
42 | - User Based Enforcement is when you apply the **scforceoption** to a user in your network domain.
43 |
44 | This is the only difference when implementing the policy: which objects in your domain you apply the policy to.
45 |
46 | You can set the policy option on a single user by checking the _Smart Card is required for interactive logon_ check box in the user account properties. You can also apply this setting using group policy objects. When the **scforceoption** setting is applied, the SMARTCARD_REQUIRED flag is added to the UserAccountControl (UAC) and the DONT_EXPIRE_PASSWORD attribute is set to true.
47 |
--------------------------------------------------------------------------------
/_networkconfig/06_tuning.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Network Tuning
4 | collection: networkconfig
5 | permalink: networkconfig/tuning/
6 | redirect_to: https://playbooks.idmanagement.gov/piv/network/tuning/
7 | ---
8 |
9 | You can tune the network domain settings to help you and your users have a better experience and reduce errors. This section highlights some of the _common_ tuning configurations for network domain logon. There are additional tuning configurations and we encourage you to start with these first and contribute others.
10 |
11 | - [Cached Logon Credential Limit](#cached-logon-credential-limit)
12 | - [CRL Retrieval Timeout Settings](#crl-retrieval-timeout-settings)
13 | - [OCSP Response Caching Behavior](#ocsp-response-caching-behavior)
14 |
15 | You can also send questions to the ICAM Technology listserve (email to ICAM-COMMUNITY-TECH at listserv.gsa.gov) to ask your government colleagues for their additional tips and tricks!
16 |
17 | ### Cached Logon Credential Limit
18 | When a user authenticates to a Windows system, their logon credentials are cached to enable logon in the event the domain controller is unavailable. The [United States Government Configuration Baseline (USGCB) for Windows 7](https://usgcb.nist.gov/usgcb/microsoft/download_win7.html){:target="_blank"} specifies that ***Interactive logon: Number of previous logons to cache (in case domain controller is not available)*** should be set to ***2***.
19 |
20 | There are no required USGCB settings for _Windows 8_ or _Windows 10_.
21 |
22 | You should configure the cached logon credential limit to be at least "2" and _possibly more_ depending on the mission needs.
23 |
24 | The ***Number of previous logons to cache*** can be modified in local or group policy in the following location
25 | ***Computer Configuration\Windows Settings\Security Settings\Local Policies\Security options***
26 |
27 | More information is available on [Microsoft TechNet](https://technet.microsoft.com/en-us/library/jj852209%28v=ws.11%29.aspx){:target="_blank"}
28 |
29 | ### CRL Retrieval Timeout Settings
30 | By default, Windows will timeout when downloading Certificate Revocation List(s) after 15 seconds. A number of CRLs in the government environment are large, greater than 20 MB in size, which will lead to the timeout happening. A sample scenario which can be common and a source of frustration to you and your users:
31 |
32 | - The first or the 51st user will attempt to logon in the morning in a region
33 | - The validity period and cache of the previous CRL will have expired on the domain controller
34 | - The domain controller will attempt to download the large CRL file and will hit the timeout limit
35 | - The user will receive an authentication failure (unable to logon)
36 | - The user will be able to try again and be successful
37 | - You will try to determine the root cause to diagnose the failures (i.e. chasing ghosts on the network)
38 | - This process will repeat
39 |
40 | You want to tune _both_ the OCSP Response Caching Behavior setting and the CRL Retrieval Timeout Settings.
41 |
42 | The default timeout value can be modified using local or group policy by modifying the ***Default URL retrieval timeout*** value found in the ***Certificate Path Validation Settings***, ***Network Retrieval*** tab, located in ***Computer Configuration\Windows Settings\Security Settings\Public Key Policies***
43 |
44 | Source and step-by-step instructions: [Manage Network Retrieval and Path Validation](https://technet.microsoft.com/en-us/library/cc771429%28v=ws.11%29.aspx){:target="_blank"}
45 |
46 | ### OCSP Response Caching Behavior
47 | By default, Microsoft Windows will retrieve and cache 50 OCSP Responses for any one issuing CA before switching to CRL mode. Depending on the size of the CRL, this may be a poor performance decision. For environments where workstations routinely interact with large CRLs, a large value may signficantly reduce network bandwidth consumption. This value can be increased by setting the ***CryptnetCachedOcspSwitchToCrlCount*** DWORD value in the following registry key:
48 | ***HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config***
49 |
50 | Source: [Optimizing the Revocation Experience](https://technet.microsoft.com/en-us/library/ee619783%28v=ws.10%29.aspx){:target="_blank"}
51 |
--------------------------------------------------------------------------------
/_networkconfig/07_mac.md:
--------------------------------------------------------------------------------
1 |
7 |
8 | ### Considerations for MacOS X and Network Authentication
9 |
--------------------------------------------------------------------------------
/_networkconfig/08_windows10.md:
--------------------------------------------------------------------------------
1 |
7 |
8 | ### Considerations for Windows 10 and Network Authentication
9 |
--------------------------------------------------------------------------------
/_networkconfig/09_references.md:
--------------------------------------------------------------------------------
1 |
7 |
8 |
9 | ### References
10 |
11 | Elements of this guide were derived from a [Microsoft Knowledgebase Article](https://support.microsoft.com/en-us/kb/281245)
12 |
13 | ### Configuration Scripts
14 |
--------------------------------------------------------------------------------
/_networkconfig/10_localca.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Local Certification Authority
4 | permalink: networkconfig/localca/
5 | redirect_to: https://playbooks.idmanagement.gov/piv/network/localca/
6 | ---
7 |
8 | This page provides some tips for using a local certification authority to issue a domain controller certificate. This is for local Microsoft CAs. Other platforms may be used and have different procedures.
9 |
10 | {% include alert-info.html content="These procedures are accurate for using Microsoft 2012 Server, Standard Edition, for CA and Domain Controller servers as of March 2017." %}
11 |
12 | * [Prerequisites](#prerequisites)
13 | * [Install CA Role](#install-ca-role)
14 | * [Configure Certificate Template for Domain Controller](#configure-certificate-template-for-domain-controller)
15 | * [Auto-Enroll Domain Controllers Using Group Policy Object (GPO)](#auto-enroll-domain-controllers-using-group-policy-object)
16 |
17 | ## Prerequisites
18 |
19 | * The server that hosts the CA must be joined to the domain.
20 | * The CA should **never** reside on the same server(s) that are acting as Domain Controller(s).
21 | * You must be an Enterprise Administrator in the domain to perform these steps.
22 |
23 |
24 | ## Install CA Role
25 |
26 | 1. Log into the **CA server** as a member of the **Enterprise Administrators** group.
27 | 2. Open the **Server Manager** and click on **Manage -> Add Roles and Features**.
28 | 3. Proceed through the **Add Roles and Features Wizard** options. Choose the following:
29 | _Server Roles:_ **_Active Directory Certificate Services_**
30 | _AD CS Roles Services:_ **_Certification Authority_**
31 | 4. On the **Results** page, click on **Configure Active Directory Certificate Services on the destination server**.
32 | 5. Proceed through the **AD CS Configuration** options. Choose the following values, as required:
33 | _Role Service:_ **_Certification Authority_**
34 | _Setup Type:_ **_Enterprise CA_**
35 | _CA Type:_ **_Root CA_**
36 | _Private Key:_ **_Create a new private key_**
37 | _Cryptography:_ **_RSA#Microsoft Software Key Storage Provider, 2048 bit, SHA-256 6e_**
38 | _CA Name: Use the naming convention:_ **dc=[_AD suffix_], dc=[_AD domain_], cn=[_certification authority name_]**
39 | (e.g., dc=_gov_, dc=_[AgencyName]_, cn=_[AgencyName]_ _NPE_ _CA1_)
40 | _Validity Period:_ **_6 years_**
41 | _Certificate Database:_ **_<your preference>_**
42 |
43 | ## Configure Certificate Template for Domain Controller
44 | The domain controller(s) certificate must contain valid information. These steps provide recommended options and settings.
45 |
46 | 1. Log into the CA server as a member of the **Enterprise Administrators** group.
47 | 2. Open the certificate template's **MMC snap-in** (i.e., **certtmpl.msc**).
48 | 3. Right-click on the **Domain Controller Authentication** template. Then, click on **Duplicate Template**.
49 | 4. Under the **Compatibility** tab, modify the **Compatibility Settings** for both the _CA_ and _certificate recipients_ to the highest compatible version (e.g., **Windows Server 2012 R2** or **Windows 2008 R2**).
50 | 5. Under the **General** tab, use these recommended settings:
51 | _Template Name:_ **_<Your organization> - Domain Controller Authentication_**.
52 | _Validity Period:_ **_3 years_**.
53 | _Renewal Period:_ **_6 weeks_**.
54 | 6. Under the **Cryptography** tab, set these values:
55 | _Minimum Key Size:_ **_2048_**.
56 | _Request Hash:_ **_SHA256_**
57 | 7. Open the **CA console** (i.e., certsrv.msc).
58 | 8. In the **console tree**, click on the **_[CA's name]_**.
59 | 9. In the **details** pane, double-click on **Certificate Templates**.
60 | 10. In the **console tree**, right-click on **Certificate Templates**. Then, click on **New > Certificate Template To Issue**.
61 | 11. Select and enable the **_certificate template_** that was created. Click on **OK**.
62 |
63 | ## Auto-Enroll Domain Controllers Using Group Policy Object (GPO)
64 |
65 | 1. Log into a **Domain Controller server** as a member of the **Enterprise Administrators** group.
66 | 2. Open the **GPMC**: gpmc.msc
67 | 3. Within the appropriate **GPO** applied to the Domain Controllers, go to **Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies**\
68 | 4. Configure **Certificate Services Client – Auto-Enrollment** with the following options:
69 | _Configuration Model:_ **_Enabled_**.
70 | _Renew Expired Certificates, Update Pending Certificates, Remove Revoked Certificates_: **_Check_all checkboxes_**.
71 | _Update Certificates That Use Certificate Templates_: **_Check the checkbox_**.
72 | 5. Replicate the group policy. Use the command: **_gpupdate /force_** at the command line, or wait for the group policy to replicate based on your replication time and settings.
73 | 6. Open **MMC.exe -> File -> Add/Remove Snap-in -> Certificates -> Computer account -> Local computer**.
74 |
75 | If successful, you will see a new Domain Controller certificate in the **_Certificate (Local Computer) -> Personal -> Certificates folder_**. At the **Certificate Template** tab, you will also see a certificate generated with the custom certificate template.
76 |
--------------------------------------------------------------------------------
/_networkconfig/11_ama.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Authentication Assurance
4 | collection: networkconfig
5 | permalink: networkconfig/ama/
6 | redirect_to: https://playbooks.idmanagement.gov/piv/network/auth/
7 | ---
8 |
9 | When a user authenticates to your network and you've enabled Single Sign-on to applications inside your network domain, you need to know which of these authenticators was used:
10 |
11 | - A username and password
12 | - A PIV credential
13 | - An alternate authenticator
14 |
15 | You need to know the type of authenticator to implement increasingly granular authorization policies, and grant or deny a user access to information available from applications and shared network resources.
16 |
17 | To grant a user access, based on the type of authenticator used, you can use a Windows Active Directory (AD) feature called _Authentication Mechanism Assurance (AMA)_. AMA allows you to add a group membership identifier to the user’s Kerberos token.
18 |
19 | {% include alert-warning.html content="Do not use AMA to provide privileged user access." %}
20 |
21 | AMA is available for domains operating on Windows Server 2008 R2 and later versions.
22 |
23 | - [Implementation](#implementation)
24 | - [Testing](#testing)
25 | - [Use Case Scenarios](#use-case-scenarios)
26 | - [Other Considerations](#other-considerations)
27 |
28 | ## Implementation
29 | You can use this PowerShell script [CertificateIssuanceOIDs.ps1](https://github.com/GSA/ficam-scripts-public/tree/master/_ama){:target="_blank"} to import and set up a list of certificate issuance policies. This script:
30 |
31 | - Contains a list of certificate issuance policy object identifiers (OIDs) used by U.S. Federal Government agencies
32 | - Creates security groups with the same names as the policies
33 | - Links the policies to the security groups
34 |
35 | You can run the script with a few simple steps.
36 |
37 | - You'll need to specify the Group Distinguished Name (GroupDN) within the script. This targets where you want to create the security groups in your network directory:
38 |
39 | - `CertificateIssuanceOIDs.ps1 -GroupDN \`
40 | - For example: `CertificateIssuanceOIDs.ps1 -GroupDN 'OU=Groups,OU=Administrators,DC=agency,DC=gov'`
41 |
42 | - After downloading this script, you may need to change the [PowerShell script execution policy](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-5.1&viewFallbackFrom=powershell-Microsoft.PowerShell.Core){:target="_blank"} to execute the script or sign the script to execute it.
43 |
44 | A sample output from the script is shown below:
45 |
46 | ```
47 | PS C:\> C:\AMA\Script\CertificateIssuanceOIDs.ps1 -GroupDN 'ou=groups,ou=security,dc=agency,dc=gov'
48 |
49 | Created CN=id-fpki-common-authentication,ou=groups,ou=security,dc=agency,dc=gov
50 | 2.16.840.1.101.3.2.1.3.13 -- Unknown ObjectId
51 |
52 | Localized name added to DS store.
53 | 0: 1033,id-fpki-common-authentication
54 | CertUtil: -oid command completed successfully.
55 |
56 | Created CN=13.255922318A2AF32EC47D5B70735D4DB3,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=agency,DC=gov
57 | AD AMA set for 2.16.840.1.101.3.2.1.3.13 id-fpki-common-authentication
58 | ```
59 |
60 | **Note:** If the GroupDN is not entered in the command line when executing the script, it will prompt for the input.
61 |
62 | ```
63 | PS C:\> C:\AMA\Script\CertificateIssuanceOIDs.ps1
64 | cmdlet ama-script.ps1 at command pipeline position 1
65 | Supply values for the following parameters:
66 | GroupDN: ou=groups,ou=security,dc=agency,dc=gov
67 | ==============================================
68 | GroupDN entered is ou=groups,ou=security,dc=agency,dc=gov
69 |
70 | ```
71 |
72 | ## Testing
73 | To test the output on your network domain, log in with your PIV credential and check the groups assigned.
74 |
75 | - Authenticate with your PIV credential
76 | - From the command line: `C:\whoami /groups`
77 |
78 | ```
79 | agency\id-fpki-common-authentication Group S-1-5-21-179144328 1-1764752353-2202401552-1113
80 | Mandatory group, Enabled by default, Enabled group
81 | ```
82 |
83 | ## Use Case Scenarios
84 |
85 | ### Authentication Pass-Through to a Federation Service
86 |
87 | A federal employee authenticates to the agency's intranet using a PIV credential and attempts to access an application hosted by a different federal agency.
88 |
89 | - The application is restricted to allow access by only users who have authenticated with a valid PIV Authentication Certificate.
90 | - All other users are denied access to the application.
91 |
92 | This federal employee successfully accesses the other federal agency's application with minimal inputs. The employee is successful because:
93 |
94 | - The employee's home agency has a Federation Service installed, and
95 | - The employee's home agency has integrated with the other agency's Federation Service
96 |
97 | During and after the employee's logon to the network, the following steps were executed without the employee's intervention:
98 |
99 | 1. The PIV authentication certificate is parsed
100 | 2. The certificate policy OID asserted allows Microsoft AD on the home agency's network to assign the user to a group specifically for PIV authenticated users
101 | 2. The user's session is granted a Kerberos ticket that includes the additional group membership
102 | 2. The user browses to the other federal agency's application
103 | 2. The user's browser is redirected to his/her home agency's Federation Service
104 | 2. The Federation Service at the home agency finds the Kerberos ticket for the user's session
105 | 2. A Security Assertion Markup Language (SAML) assertion is created by the Federation Service (This is a token translation.)
106 | 2. The SAML assertion includes the AD group membership information that identifies that this user authenticated with a PIV credential
107 | 2. The user's browser is redirected back to the other federal agency's application
108 | 2. The user is successfully authenticated with the valid SAML assertion
109 | 2. The other federal agency's application is configured to allow access to only those users who have authenticated using a PIV credential
110 |
111 | In this Use Case and steps, the user did **not** have to authenticate directly with a PIV credential to the other agency's application. A federation model was used.
112 |
113 | {% include alert-info.html content="One example for viewing this implementation pattern is Max.gov. If you click on the upper right-hand Login button, you'll see the Max.gov LOGIN page. The bottom section allows you to click on an agency icon. Each of these icons redirects the user back to that agency's Federation Service." %}
114 |
115 | ### Authentication Pass-Through for Integrated Windows Authentication
116 |
117 | A federal employee authenticates to his/her agency's intranet using a PIV credential and attempts to access a local SharePoint site.
118 |
119 | - The SharePoint site is restricted to allow access to only those users who have authenticated with a PIV Authentication Certificate.
120 | - All other users are denied access to the SharePoint site.
121 |
122 | The federal employee successfully accesses the local SharePoint site.
123 |
124 | During and after the employee's logon to the network and attempt to access the SharePoint site, the following steps were executed without the employee's intervention:
125 |
126 | 1. The PIV authentication certificate is parsed
127 | 2. The certificate policy OID asserted allows Microsoft AD on the home agency's network to assign the user to a group specifically for PIV authenticated users
128 | 2. The user's session is granted a Kerberos ticket that includes the additional group membership
129 | 2. The SharePoint site is configured to only allow access to only those users who have authenticated using a PIV credential
130 |
131 |
132 | ## Other Considerations and References
133 | Use the Windows Registry Editor to set the _AMA Priority_ above _Most Recently Issued Superior Certificate Heuristic_:
134 |
135 | - `[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\kdc]`
136 | - `"ChainWithIssuancePolicyOIDs"=dword:00000001`
137 |
138 |
139 | Refer to [AMA Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=WS.10).aspx){:target=_"blank"} to understand the implementation of AMA.
140 |
141 |
--------------------------------------------------------------------------------
/_sass/_base.scss:
--------------------------------------------------------------------------------
1 | /**
2 | * Reset some basic elements
3 | */
4 | body, h1, h2, h3, h4, h5, h6,
5 | p, blockquote, pre, hr,
6 | dl, dd, ol, ul, figure {
7 | margin: 0;
8 | padding: 0;
9 | }
10 |
11 |
12 |
13 | /**
14 | * Basic styling
15 | */
16 | body {
17 | font-family: $base-font-family;
18 | font-size: $base-font-size;
19 | line-height: $base-line-height;
20 | font-weight: 300;
21 | color: $text-color;
22 | background-color: $background-color;
23 | -webkit-text-size-adjust: 100%;
24 | }
25 |
26 |
27 |
28 | /**
29 | * Set `margin-bottom` to maintain vertical rhythm
30 | */
31 | h1, h2, h3, h4, h5, h6,
32 | p, blockquote, pre,
33 | ul, ol, dl, figure,
34 | %vertical-rhythm {
35 | margin-bottom: $spacing-unit / 2;
36 | }
37 |
38 |
39 |
40 | /**
41 | * Images
42 | */
43 | img {
44 | max-width: 100%;
45 | vertical-align: middle;
46 | }
47 |
48 |
49 |
50 | /**
51 | * Figures
52 | */
53 | figure > img {
54 | display: block;
55 | }
56 |
57 | figcaption {
58 | font-size: $small-font-size;
59 | }
60 |
61 |
62 |
63 | /**
64 | * Lists
65 | */
66 | ul, ol {
67 | margin-left: $spacing-unit;
68 | }
69 |
70 | li {
71 | > ul,
72 | > ol {
73 | margin-bottom: 0;
74 | }
75 | }
76 |
77 |
78 |
79 | /**
80 | * Headings
81 | */
82 | h1, h2, h3, h4, h5, h6 {
83 | font-weight: 300;
84 | }
85 |
86 |
87 |
88 | /**
89 | * Links
90 | */
91 | a {
92 | color: $brand-color;
93 | text-decoration: none;
94 |
95 | &:visited {
96 | color: darken($brand-color, 15%);
97 | }
98 |
99 | &:hover {
100 | color: $text-color;
101 | text-decoration: underline;
102 | }
103 | }
104 |
105 |
106 |
107 | /**
108 | * Blockquotes
109 | */
110 | blockquote {
111 | color: $grey-color;
112 | border-left: 4px solid $grey-color-light;
113 | padding-left: $spacing-unit / 2;
114 | font-size: 18px;
115 | letter-spacing: -1px;
116 | font-style: italic;
117 |
118 | > :last-child {
119 | margin-bottom: 0;
120 | }
121 | }
122 |
123 |
124 |
125 | /**
126 | * Code formatting
127 | */
128 | pre,
129 | code {
130 | font-size: 15px;
131 | border: 1px solid $grey-color-light;
132 | border-radius: 3px;
133 | background-color: #cccccc;
134 | }
135 |
136 | code {
137 | padding: 1px 5px;
138 | }
139 |
140 | pre {
141 | padding: 8px 12px;
142 | overflow-x: scroll;
143 |
144 | > code {
145 | border: 0;
146 | padding-right: 0;
147 | padding-left: 0;
148 | }
149 | }
150 |
151 |
152 |
153 | /**
154 | * Wrapper
155 | */
156 | .wrapper {
157 | max-width: -webkit-calc(#{$content-width} - (#{$spacing-unit} * 2));
158 | max-width: calc(#{$content-width} - (#{$spacing-unit} * 2));
159 | margin-right: auto;
160 | margin-left: auto;
161 | padding-right: $spacing-unit;
162 | padding-left: $spacing-unit;
163 | @extend %clearfix;
164 |
165 | @include media-query($on-laptop) {
166 | max-width: -webkit-calc(#{$content-width} - (#{$spacing-unit}));
167 | max-width: calc(#{$content-width} - (#{$spacing-unit}));
168 | padding-right: $spacing-unit / 2;
169 | padding-left: $spacing-unit / 2;
170 | }
171 | }
172 |
173 |
174 |
175 | /**
176 | * Clearfix
177 | */
178 | %clearfix {
179 |
180 | &:after {
181 | content: "";
182 | display: table;
183 | clear: both;
184 | }
185 | }
186 |
187 |
188 |
189 | /**
190 | * Icons
191 | */
192 | .icon {
193 |
194 | > svg {
195 | display: inline-block;
196 | width: 16px;
197 | height: 16px;
198 | vertical-align: middle;
199 |
200 | path {
201 | fill: $grey-color;
202 | }
203 | }
204 | }
205 |
--------------------------------------------------------------------------------
/_sass/_layout.scss:
--------------------------------------------------------------------------------
1 | /**
2 | * Site header
3 | */
4 | .site-header {
5 | border-top: 5px solid $grey-color-dark;
6 | border-bottom: 1px solid $grey-color-light;
7 | min-height: 56px;
8 |
9 | // Positioning context for the mobile navigation icon
10 | position: relative;
11 | }
12 |
13 | .site-title {
14 | font-size: 26px;
15 | line-height: 56px;
16 | letter-spacing: -1px;
17 | margin-bottom: 0;
18 | float: left;
19 |
20 | &,
21 | &:visited {
22 | color: $grey-color-dark;
23 | }
24 | }
25 |
26 | .site-nav {
27 | float: right;
28 | line-height: 56px;
29 |
30 | .menu-icon {
31 | display: none;
32 | }
33 |
34 | .page-link {
35 | color: $text-color;
36 | line-height: $base-line-height;
37 |
38 | // Gaps between nav items, but not on the first one
39 | &:not(:first-child) {
40 | margin-left: 20px;
41 | }
42 | }
43 |
44 | @include media-query($on-palm) {
45 | position: absolute;
46 | top: 9px;
47 | right: 30px;
48 | background-color: $background-color;
49 | border: 1px solid $grey-color-light;
50 | border-radius: 5px;
51 | text-align: right;
52 |
53 | .menu-icon {
54 | display: block;
55 | float: right;
56 | width: 36px;
57 | height: 26px;
58 | line-height: 0;
59 | padding-top: 10px;
60 | text-align: center;
61 |
62 | > svg {
63 | width: 18px;
64 | height: 15px;
65 |
66 | path {
67 | fill: $grey-color-dark;
68 | }
69 | }
70 | }
71 |
72 | .trigger {
73 | clear: both;
74 | display: none;
75 | }
76 |
77 | &:hover .trigger {
78 | display: block;
79 | padding-bottom: 5px;
80 | }
81 |
82 | .page-link {
83 | display: block;
84 | padding: 5px 10px;
85 | }
86 | }
87 | }
88 |
89 |
90 | /**
91 | * Site footer
92 | */
93 | .site-footer {
94 | border-top: 1px solid $grey-color-light;
95 | padding: $spacing-unit 0;
96 | }
97 |
98 | .footer-heading {
99 | font-size: 18px;
100 | margin-bottom: $spacing-unit / 2;
101 | }
102 |
103 | .contact-list,
104 | .social-media-list {
105 | list-style: none;
106 | margin-left: 0;
107 | }
108 |
109 | .footer-col-wrapper {
110 | font-size: 15px;
111 | color: $grey-color;
112 | margin-left: -$spacing-unit / 2;
113 | @extend %clearfix;
114 | }
115 |
116 | .footer-col {
117 | float: left;
118 | margin-bottom: $spacing-unit / 2;
119 | padding-left: $spacing-unit / 2;
120 | }
121 |
122 | .footer-col-1 {
123 | width: -webkit-calc(35% - (#{$spacing-unit} / 2));
124 | width: calc(35% - (#{$spacing-unit} / 2));
125 | }
126 |
127 | .footer-col-2 {
128 | width: -webkit-calc(20% - (#{$spacing-unit} / 2));
129 | width: calc(20% - (#{$spacing-unit} / 2));
130 | }
131 |
132 | .footer-col-3 {
133 | width: -webkit-calc(45% - (#{$spacing-unit} / 2));
134 | width: calc(45% - (#{$spacing-unit} / 2));
135 | }
136 |
137 | @include media-query($on-laptop) {
138 | .footer-col-1,
139 | .footer-col-2 {
140 | width: -webkit-calc(50% - (#{$spacing-unit} / 2));
141 | width: calc(50% - (#{$spacing-unit} / 2));
142 | }
143 |
144 | .footer-col-3 {
145 | width: -webkit-calc(100% - (#{$spacing-unit} / 2));
146 | width: calc(100% - (#{$spacing-unit} / 2));
147 | }
148 | }
149 |
150 | @include media-query($on-palm) {
151 | .footer-col {
152 | float: none;
153 | width: -webkit-calc(100% - (#{$spacing-unit} / 2));
154 | width: calc(100% - (#{$spacing-unit} / 2));
155 | }
156 | }
157 |
158 |
159 |
160 | /**
161 | * Page content
162 | */
163 | .page-content {
164 | padding: $spacing-unit 0;
165 | }
166 |
167 | .page-heading {
168 | font-size: 20px;
169 | }
170 |
171 | .post-list {
172 | margin-left: 0;
173 | list-style: none;
174 |
175 | > li {
176 | margin-bottom: $spacing-unit;
177 | }
178 | }
179 |
180 | .post-meta {
181 | font-size: $small-font-size;
182 | color: $grey-color;
183 | }
184 |
185 | .post-link {
186 | display: block;
187 | font-size: 24px;
188 | }
189 |
190 |
191 |
192 | /**
193 | * Posts
194 | */
195 | .post-header {
196 | margin-bottom: $spacing-unit;
197 | }
198 |
199 | .post-title {
200 | font-size: 42px;
201 | letter-spacing: -1px;
202 | line-height: 1;
203 |
204 | @include media-query($on-laptop) {
205 | font-size: 36px;
206 | }
207 | }
208 |
209 | .post-content {
210 | margin-bottom: $spacing-unit;
211 |
212 | h2 {
213 | font-size: 32px;
214 |
215 | @include media-query($on-laptop) {
216 | font-size: 28px;
217 | }
218 | }
219 |
220 | h3 {
221 | font-size: 26px;
222 |
223 | @include media-query($on-laptop) {
224 | font-size: 22px;
225 | }
226 | }
227 |
228 | h4 {
229 | font-size: 20px;
230 |
231 | @include media-query($on-laptop) {
232 | font-size: 18px;
233 | }
234 | }
235 | }
236 |
--------------------------------------------------------------------------------
/_sass/_syntax-highlighting.scss:
--------------------------------------------------------------------------------
1 | /**
2 | * Syntax highlighting styles
3 | */
4 | .highlight {
5 | background: #fff;
6 | @extend %vertical-rhythm;
7 |
8 | .c { color: #998; font-style: italic } // Comment
9 | .err { color: #a61717; background-color: #e3d2d2 } // Error
10 | .k { font-weight: bold } // Keyword
11 | .o { font-weight: bold } // Operator
12 | .cm { color: #998; font-style: italic } // Comment.Multiline
13 | .cp { color: #999; font-weight: bold } // Comment.Preproc
14 | .c1 { color: #998; font-style: italic } // Comment.Single
15 | .cs { color: #999; font-weight: bold; font-style: italic } // Comment.Special
16 | .gd { color: #000; background-color: #fdd } // Generic.Deleted
17 | .gd .x { color: #000; background-color: #faa } // Generic.Deleted.Specific
18 | .ge { font-style: italic } // Generic.Emph
19 | .gr { color: #a00 } // Generic.Error
20 | .gh { color: #999 } // Generic.Heading
21 | .gi { color: #000; background-color: #dfd } // Generic.Inserted
22 | .gi .x { color: #000; background-color: #afa } // Generic.Inserted.Specific
23 | .go { color: #888 } // Generic.Output
24 | .gp { color: #555 } // Generic.Prompt
25 | .gs { font-weight: bold } // Generic.Strong
26 | .gu { color: #aaa } // Generic.Subheading
27 | .gt { color: #a00 } // Generic.Traceback
28 | .kc { font-weight: bold } // Keyword.Constant
29 | .kd { font-weight: bold } // Keyword.Declaration
30 | .kp { font-weight: bold } // Keyword.Pseudo
31 | .kr { font-weight: bold } // Keyword.Reserved
32 | .kt { color: #458; font-weight: bold } // Keyword.Type
33 | .m { color: #099 } // Literal.Number
34 | .s { color: #d14 } // Literal.String
35 | .na { color: #008080 } // Name.Attribute
36 | .nb { color: #0086B3 } // Name.Builtin
37 | .nc { color: #458; font-weight: bold } // Name.Class
38 | .no { color: #008080 } // Name.Constant
39 | .ni { color: #800080 } // Name.Entity
40 | .ne { color: #900; font-weight: bold } // Name.Exception
41 | .nf { color: #900; font-weight: bold } // Name.Function
42 | .nn { color: #555 } // Name.Namespace
43 | .nt { color: #000080 } // Name.Tag
44 | .nv { color: #008080 } // Name.Variable
45 | .ow { font-weight: bold } // Operator.Word
46 | .w { color: #bbb } // Text.Whitespace
47 | .mf { color: #099 } // Literal.Number.Float
48 | .mh { color: #099 } // Literal.Number.Hex
49 | .mi { color: #099 } // Literal.Number.Integer
50 | .mo { color: #099 } // Literal.Number.Oct
51 | .sb { color: #d14 } // Literal.String.Backtick
52 | .sc { color: #d14 } // Literal.String.Char
53 | .sd { color: #d14 } // Literal.String.Doc
54 | .s2 { color: #d14 } // Literal.String.Double
55 | .se { color: #d14 } // Literal.String.Escape
56 | .sh { color: #d14 } // Literal.String.Heredoc
57 | .si { color: #d14 } // Literal.String.Interpol
58 | .sx { color: #d14 } // Literal.String.Other
59 | .sr { color: #009926 } // Literal.String.Regex
60 | .s1 { color: #d14 } // Literal.String.Single
61 | .ss { color: #990073 } // Literal.String.Symbol
62 | .bp { color: #999 } // Name.Builtin.Pseudo
63 | .vc { color: #008080 } // Name.Variable.Class
64 | .vg { color: #008080 } // Name.Variable.Global
65 | .vi { color: #008080 } // Name.Variable.Instance
66 | .il { color: #099 } // Literal.Number.Integer.Long
67 | }
68 |
--------------------------------------------------------------------------------
/_userguides/00_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: PIV User Guides
4 | collection: userguides
5 | permalink: /userguides/
6 | redirect_to: https://playbooks.idmanagement.gov/playbooks/
7 | ---
8 |
9 | These user guides will help agency users with PIV related tasks.
10 |
11 | {% for item in site.userguides reversed %}
12 | {% assign link = item.permalink | remove: '/' %}
13 | {% if link != item.collection %}
14 |
15 |
');
40 | $(sampleCodeBox).find('code').text($(sampleCode).html());
41 | $(previewBox).after(sampleCodeBox);
42 | }
43 |
44 | $(content).find(previewBox).each(function(index, previewBox) {
45 |
46 | var sampleCode = self.parseCode(previewBox);
47 | self.render(previewBox, sampleCode);
48 |
49 | });
50 |
51 | }
52 |
53 | generateCodeSnippets('.main-content', '.preview');
54 |
55 | });
56 |
57 | /* Calculates what scrollTop should be in order to
58 | * show an anchor properly under the header
59 | * and lined up with the nav like the H1
60 | */
61 | var calculateAnchorPosition = function (hash) {
62 | var anchor = $('#' + hash);
63 | var topOffset = 0;
64 | var navPadding = parseInt($('.sidenav').css('padding-top'), 10);
65 | var anchorPadding = parseInt(anchor.css('padding-top'), 10);
66 |
67 | if (anchor.length === 0) {
68 | return topOffset;
69 | }
70 |
71 | //start with the height of the header
72 | topOffset = $('.usa-site-header').first().outerHeight();
73 | //subtract the diffence in padding between nav top and anchor
74 | topOffset = topOffset - (anchorPadding - navPadding);
75 |
76 | //anchor should now align with first item inside nav
77 | return anchor.offset().top - topOffset;
78 | }
79 |
80 |
81 | /* When user lands on a page with a hash in the url
82 | * default behavior will put the title at the very top
83 | * and the header will cover the top of the section.
84 | * This interrupts that and positions section title correctly
85 | */
86 | $(function () {
87 | var hash = window.location.hash.substr(1);
88 | var scrollTopPos = (hash ? calculateAnchorPosition(hash) : 0);
89 |
90 | if (scrollTopPos > 0) {
91 | //setTimeout ensures proper ordering of events
92 | //and makes this happens after the browser's default jump
93 | setTimeout(function () {
94 | $(window).scrollTop(scrollTopPos);
95 | }, 1);
96 | }
97 | });
98 |
99 | //capture that the enter key was used to "click"
100 | $('.sidenav').on('keydown', 'a', function (e) {
101 | var ENTER = 13;
102 | if (e.which === ENTER) {
103 | $(this).data('keypress', true);
104 | }
105 | });
106 |
107 | $('.sidenav').on('click', 'a', function(e) {
108 | var hashLocation = $(this).attr('href').split('#')[1]; // long url splitting
109 | var scrollTopPos = calculateAnchorPosition(hashLocation);
110 |
111 | //if anchor doesn't exist on the page, or calc fails
112 | //then exit gracefully
113 | if (scrollTopPos === 0) {
114 | return true;
115 | }
116 |
117 | e.preventDefault();
118 |
119 | /* Firefox needs html, others need body */
120 | $('body,html').animate({
121 | scrollTop: scrollTopPos
122 | }, {
123 | duration: 200,
124 | start: function () {
125 | var newHash = '#' + hashLocation;
126 |
127 | //using pushState is easiest way to prevent double jumps
128 | if(history && history.pushState && window.location.hash !== newHash) {
129 | history.pushState(null, null, newHash);
130 | } else if (window.location.hash !== newHash) {
131 | window.location.hash = newHash;
132 | }
133 | },
134 | done: function () {
135 | //if keyboard was used, update keyboard focus to section
136 | var link = $(e.target);
137 | var section = $('#' + hashLocation);
138 |
139 | if (link.data('keypress') === true) {
140 | link.removeData('keypress');
141 | section.attr('tabindex','0');
142 | section.focus();
143 | }
144 | }
145 | });
146 | });
147 |
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/merriweather-bold-webfont.eot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/merriweather-bold-webfont.eot
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/merriweather-bold-webfont.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/merriweather-bold-webfont.ttf
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/merriweather-bold-webfont.woff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/merriweather-bold-webfont.woff
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/merriweather-bold-webfont.woff2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/merriweather-bold-webfont.woff2
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/merriweather-italic-webfont.eot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/merriweather-italic-webfont.eot
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/merriweather-italic-webfont.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/merriweather-italic-webfont.ttf
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/merriweather-italic-webfont.woff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/merriweather-italic-webfont.woff
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/merriweather-italic-webfont.woff2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/merriweather-italic-webfont.woff2
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/merriweather-light-webfont.eot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/merriweather-light-webfont.eot
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/merriweather-light-webfont.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/merriweather-light-webfont.ttf
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/merriweather-light-webfont.woff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/merriweather-light-webfont.woff
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/merriweather-light-webfont.woff2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/merriweather-light-webfont.woff2
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/merriweather-regular-webfont.eot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/merriweather-regular-webfont.eot
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/merriweather-regular-webfont.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/merriweather-regular-webfont.ttf
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/merriweather-regular-webfont.woff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/merriweather-regular-webfont.woff
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/merriweather-regular-webfont.woff2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/merriweather-regular-webfont.woff2
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/sourcesanspro-bold-webfont.eot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/sourcesanspro-bold-webfont.eot
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/sourcesanspro-bold-webfont.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/sourcesanspro-bold-webfont.ttf
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/sourcesanspro-bold-webfont.woff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/sourcesanspro-bold-webfont.woff
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/sourcesanspro-bold-webfont.woff2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/sourcesanspro-bold-webfont.woff2
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/sourcesanspro-italic-webfont.eot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/sourcesanspro-italic-webfont.eot
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/sourcesanspro-italic-webfont.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/sourcesanspro-italic-webfont.ttf
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/sourcesanspro-italic-webfont.woff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/sourcesanspro-italic-webfont.woff
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/sourcesanspro-italic-webfont.woff2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/sourcesanspro-italic-webfont.woff2
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/sourcesanspro-light-webfont.eot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/sourcesanspro-light-webfont.eot
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/sourcesanspro-light-webfont.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/sourcesanspro-light-webfont.ttf
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/sourcesanspro-light-webfont.woff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/sourcesanspro-light-webfont.woff
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/sourcesanspro-light-webfont.woff2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/sourcesanspro-light-webfont.woff2
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/sourcesanspro-regular-webfont.eot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/sourcesanspro-regular-webfont.eot
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/sourcesanspro-regular-webfont.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/sourcesanspro-regular-webfont.ttf
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/sourcesanspro-regular-webfont.woff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/sourcesanspro-regular-webfont.woff
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/fonts/sourcesanspro-regular-webfont.woff2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/fonts/sourcesanspro-regular-webfont.woff2
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/alerts/error.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/alerts/error.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/alerts/error.svg:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
18 |
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/alerts/info.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/alerts/info.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/alerts/info.svg:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
19 |
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/alerts/success.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/alerts/success.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/alerts/success.svg:
--------------------------------------------------------------------------------
1 |
13 |
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/alerts/warning.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/alerts/warning.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/alerts/warning.svg:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
17 |
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/arrow-down.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/arrow-down.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/arrow-down.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/arrow-right.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/arrow-right.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/arrow-right.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/correct8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/correct8.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/correct8.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/correct9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/correct9.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/correct9.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/favicons/favicon-114.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/favicons/favicon-114.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/favicons/favicon-144.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/favicons/favicon-144.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/favicons/favicon-16.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/favicons/favicon-16.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/favicons/favicon-192.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/favicons/favicon-192.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/favicons/favicon-57.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/favicons/favicon-57.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/favicons/favicon-72.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/favicons/favicon-72.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/favicons/favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/favicons/favicon.ico
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/favicons/favicon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/favicons/favicon.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/logo-img.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/logo-img.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/minus.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/minus.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/minus.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/plus.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/plus.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/plus.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/search.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/search.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/search.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/social-icons/png/facebook25.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/social-icons/png/facebook25.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/social-icons/png/rss25.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/social-icons/png/rss25.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/social-icons/png/twitter16.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/social-icons/png/twitter16.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/social-icons/png/youtube15.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/social-icons/png/youtube15.png
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/social-icons/svg/facebook25.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/social-icons/svg/rss25.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/social-icons/svg/twitter16.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/social-icons/svg/youtube15.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/assets/uswds-0.9.1/img/us_flag_small.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/assets/uswds-0.9.1/img/us_flag_small.png
--------------------------------------------------------------------------------
/img/certificatechain.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/certificatechain.png
--------------------------------------------------------------------------------
/img/certificatechain_small.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/certificatechain_small.png
--------------------------------------------------------------------------------
/img/elements.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/elements.png
--------------------------------------------------------------------------------
/img/linux_tux.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/linux_tux.png
--------------------------------------------------------------------------------
/img/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/logo.png
--------------------------------------------------------------------------------
/img/microsoft.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/microsoft.png
--------------------------------------------------------------------------------
/img/ofr_add_digital_signature_new.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/ofr_add_digital_signature_new.png
--------------------------------------------------------------------------------
/img/ofr_certificate_details.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/ofr_certificate_details.png
--------------------------------------------------------------------------------
/img/ofr_certificate_types.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/ofr_certificate_types.png
--------------------------------------------------------------------------------
/img/ofr_enter_your_pin_3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/ofr_enter_your_pin_3.png
--------------------------------------------------------------------------------
/img/ofr_remove_invisible_sign_4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/ofr_remove_invisible_sign_4.png
--------------------------------------------------------------------------------
/img/ofr_sign_box_with_name_appears_here_3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/ofr_sign_box_with_name_appears_here_3.png
--------------------------------------------------------------------------------
/img/ofr_sign_box_with_no_name_2.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/ofr_sign_box_with_no_name_2.PNG
--------------------------------------------------------------------------------
/img/ofr_signature_confirmation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/ofr_signature_confirmation.png
--------------------------------------------------------------------------------
/img/ofr_signatures_pane_5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/ofr_signatures_pane_5.png
--------------------------------------------------------------------------------
/img/ofr_windows_sec_piv_or_purch_cert.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/ofr_windows_sec_piv_or_purch_cert.png
--------------------------------------------------------------------------------
/img/ofr_word_add_digital_signature_1.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/ofr_word_add_digital_signature_1.PNG
--------------------------------------------------------------------------------
/img/piv.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/piv.png
--------------------------------------------------------------------------------
/img/piv_aia_ocsp_gsa.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/piv_aia_ocsp_gsa.png
--------------------------------------------------------------------------------
/img/piv_aia_ocsp_gsa_small.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/piv_aia_ocsp_gsa_small.png
--------------------------------------------------------------------------------
/img/piv_crl_gsa.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/piv_crl_gsa.png
--------------------------------------------------------------------------------
/img/piv_crl_gsa_small.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/piv_crl_gsa_small.png
--------------------------------------------------------------------------------
/img/pivcertificatechain.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/pivcertificatechain.png
--------------------------------------------------------------------------------
/img/pivcertificatechain_small.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/pivcertificatechain_small.png
--------------------------------------------------------------------------------
/img/ssh-putty-cac-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/ssh-putty-cac-1.png
--------------------------------------------------------------------------------
/img/ssh-putty-cac-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/ssh-putty-cac-2.png
--------------------------------------------------------------------------------
/img/winSCP-1.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/winSCP-1.PNG
--------------------------------------------------------------------------------
/img/winSCP-10.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/winSCP-10.PNG
--------------------------------------------------------------------------------
/img/winSCP-2.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/winSCP-2.PNG
--------------------------------------------------------------------------------
/img/winSCP-3.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/winSCP-3.PNG
--------------------------------------------------------------------------------
/img/winSCP-4.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/winSCP-4.PNG
--------------------------------------------------------------------------------
/img/winSCP-5.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/winSCP-5.PNG
--------------------------------------------------------------------------------
/img/winSCP-6.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/winSCP-6.PNG
--------------------------------------------------------------------------------
/img/winSCP-7.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/winSCP-7.PNG
--------------------------------------------------------------------------------
/img/winSCP-8.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/winSCP-8.PNG
--------------------------------------------------------------------------------
/img/winSCP-9.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/winSCP-9.PNG
--------------------------------------------------------------------------------
/img/word-signature-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-1.png
--------------------------------------------------------------------------------
/img/word-signature-10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-10.png
--------------------------------------------------------------------------------
/img/word-signature-11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-11.png
--------------------------------------------------------------------------------
/img/word-signature-12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-12.png
--------------------------------------------------------------------------------
/img/word-signature-13.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-13.png
--------------------------------------------------------------------------------
/img/word-signature-14.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-14.png
--------------------------------------------------------------------------------
/img/word-signature-15.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-15.png
--------------------------------------------------------------------------------
/img/word-signature-16.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-16.png
--------------------------------------------------------------------------------
/img/word-signature-17.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-17.png
--------------------------------------------------------------------------------
/img/word-signature-18.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-18.png
--------------------------------------------------------------------------------
/img/word-signature-19.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-19.png
--------------------------------------------------------------------------------
/img/word-signature-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-2.png
--------------------------------------------------------------------------------
/img/word-signature-20.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-20.png
--------------------------------------------------------------------------------
/img/word-signature-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-3.png
--------------------------------------------------------------------------------
/img/word-signature-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-4.png
--------------------------------------------------------------------------------
/img/word-signature-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-5.png
--------------------------------------------------------------------------------
/img/word-signature-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-6.png
--------------------------------------------------------------------------------
/img/word-signature-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-7.png
--------------------------------------------------------------------------------
/img/word-signature-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-8.png
--------------------------------------------------------------------------------
/img/word-signature-9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/piv-guides/66bfe3c94bb5a17980e515fd3fa4b724f273b2fb/img/word-signature-9.png
--------------------------------------------------------------------------------
/pages/contribute.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: How to Contribute
4 | permalink: /contribute/
5 | redirect_to: https://playbooks.idmanagement.gov/contribute/
6 | ---
7 |
8 | Thank you for considering contributing to our development of open and transparent PIV Guides. Everyone has tricks and tips and we want to share these with our colleagues!
9 |
10 | To contribute to this site, you can:
11 |
12 | - [Open an Issue](#open-an-issue)
13 | - [Edit an existing page](#edit-an-existing-page)
14 | - [Add a new page](#add-a-new-page)
15 | - [Notes on using this repository](#notes-on-using-this-repository)
16 |
17 | Using GitHub as a first time user can be overwhelming. An introduction video is available from DigitalGov on YouTube: [Introduction to GitHub](https://www.youtube.com/watch?v=uNa9GOtM6NE&t=1737s){:target="blank"}.
18 |
19 |
20 | ## Open an Issue
21 |
22 | Issues are the primary way of sharing information and discussing this site with the broader community. For example, Issues can be used for:
23 |
24 | * _Suggestions:_ You would like to suggest an edit or addition to any existing pages or information on this site
25 | * _Corrections:_ You have identified a problem with existing information on the site and would like to discuss a correction
26 |
27 | Issues may be submitted by clicking **Submit Issues Here** in the bottom of the left side navigation.
28 |
29 | For a quick guide on opening Issues, read [how to open issues.]({{site.baseurl}}/openissue/){:target="_blank"}
30 |
31 | ## Edit an existing page
32 |
33 | Direct changes and line edits to the content may be submitted by clicking **Edit this page** in the top right hand corner of each page. You do not need to install any software to submit content. You can use GitHub's in-browser editor to edit files and submit the changes for discussion.
34 |
35 | For a quick guide on editing a page, read [how to edit a page.]({{site.baseurl}}/editpage/){:target="_blank"}
36 |
37 | ## Add a new page
38 | We welcome new pages and appreciate your contributions!
39 |
40 | First, propose a topic by [opening an Issue]({{site.baseurl}}/contribute/#open-an-issue){:target="blank"}. If you don't have a topic, a good place to start is by reviewing the existing **Issues** lists.
41 |
42 | * [PIV Guides Issues](https://github.com/GSA/piv-guides/issues){:target="blank"}
43 | * [Federal PKI Guides Issues](https://github.com/GSA/fpki-guides/issues){:target="blank"}
44 | * [FICAM Architecture Issues](https://github.com/GSA/ficam-arch/issues){:target="blank"}
45 |
46 | Choose one of the Issues and start a conversation on the Issue. You help clarify the problem and identify the solution by discussing the Issue first, and you can propose a format for the new page. When you are ready, add a comment to the Issue that you would like to write up the solution! We will create a new **branch** for you if needed.
47 |
48 | For a quick guide on adding a page, read [how to add a page.]({{site.baseurl}}/addpage/){:target="_blank"}
49 |
50 | We have a [sample template with markdown samples]({{ site.repo_url }}/blob/{{ site.branch }}/pages/template.md){:target="blank"}.
51 |
52 | ## Notes on using this repository
53 |
54 | In the GitHub repository [here]({{site.repo_url}}){:target="_blank"} under the 'Code' tab:
55 |
56 | 
57 |
58 | There are folders containing the content and diagrams.
59 |
60 | * _pages_: includes the pages for Introduction, Identifiers, Getting Started, and Certificate Trust
61 | * _networkconfig_: includes the pages for the configurations for network authentication
62 | * _img_: includes all diagrams and images and are available for download and reuse anywhere
63 |
64 | We encourage you to read our [LICENSE]({{ site.repo_url }}/blob/{{ site.branch }}/LICENSE.md){:target="_blank"} and our [README]({{ site.repo_url }}/blob/{{ site.branch }}/README.md){:target="_blank"}, which exist within this repository.
65 |
66 | ### General Practices
67 |
68 | This content is Vendor neutral. Marketing materials for Commercial Products should not be submitted. If you would like to contribute a page or content which includes Commercial Products and specific references for development and engineering, please review the Commercial Product trademark or copyright guides from the Product Vendor and reference those guides in your Pull Request.
69 |
70 | ### Plain Language
71 |
72 | Contributors should consider the audience when submitting content. Plain language benefits a broad audience. Review your proposed content for use of acronyms and specialized jargon before submitting.
73 |
74 | * All pages should be brief.
75 | * Use titles to help the user identify jumping off points for information.
76 | * Paragraphs should be short.
77 | * All text should be written in plain language and in a user-friendly active voice as much as possible.
78 | * Use numbered steps, bullet lists, and graphics.
79 |
80 | The following sources can provide additional help with plain language, writing, and style:
81 |
82 | * [18F Content Guide](https://content-guide.18f.gov/){:target="_blank"}
83 | * [Federal Plain Language Guidelines](http://www.plainlanguage.gov/){:target="_blank"}
84 |
85 |
86 | ## Thanks
87 |
88 | The idea for providing this content as open source, the contributing framework, and the licensing framework are based on work from [18F](https://18f.gsa.gov){:target="_blank"}
89 |
90 |
91 |
--------------------------------------------------------------------------------
/pages/contribute_addpage.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Add a Page
4 | permalink: /addpage/
5 | redirect_to: https://playbooks.idmanagement.gov/contribute/#add-a-page
6 | ---
7 |
8 | To Add a page:
9 |
10 | * [Create a GitHub account](#create-a-github-account)
11 | * [Fork the repository](#fork-the-repository)
12 | * [Create a page](#create-a-page)
13 | * [Submit your draft page](#submit-your-draft-page)
14 |
15 | Using GitHub as a first time user can be overwhelming! An introduction video is available from DigitalGov on YouTube: [Introduction to GitHub](https://www.youtube.com/watch?v=uNa9GOtM6NE&t=1737s){:target="blank"}.
16 |
17 | ### **Establish a GitHub account.**
18 | You can create an account by browsing to: [Join GitHub](https://github.com/join).
19 |
20 | * GitHub allows you to remain almost anonymous if you prefer. Make sure you select the options that suit you on the “Profile” and “Emails” pages of your “Personal Settings”.
21 | * We also highly encourage you to turn on **two-factor authentication** in the “Security” page, also part of “Personal Settings”.
22 | 
23 |
24 | ### Fork the Repository
25 |
26 | Once you have a GitHub account, you can create a personal copy (called a "_fork_") to work on in your GitHub profile. It's simple:
27 |
28 | * In the upper right-hand corner, click on the **Fork** button.
29 |
30 | A version controlled _copy_ will now be in your GitHub profile.
31 |
32 | For more help with forking a repo, go to [Fork a Repo](https://help.github.com/articles/fork-a-repo/){:target="blank"}
33 |
34 | ### Create a Page
35 |
36 | We have a sample template with markdown available. You first create a new page, then edit the page, write your guide, and finally submit the content.
37 |
38 | To create a new **Page** where you can write your guide:
39 |
40 | 1. Check the **_Branch_** button to ensure that the new branch name is displayed. If it isn't, select it from the Branch drop-down list.
41 | 2. Click on the **_Create New File_** button located above the top right-hand area of your repository's window (above the folders and files listing).
42 | 3. In the text box, enter your new Page's name with the extension **.md** for Markdown
43 | 4. Scroll to the bottom of your Page. Below the **Commit new file** comment box, click on the green **Commit new file** button to save your new Page.
44 |
45 | You can edit your page and even copy the template directly to get started:
46 |
47 | * View the [template sample]({{repo_url}}/pages/template.md){:target="blank"}.
48 | * Click the 'Raw' button towards the top right of the page to view the file as raw code. Within this file are helpful comments and instructions on where different parts of your content will be entered.
49 | * Copy all of the samples from the template into your new page, add your content, and delete items you don't need.
50 |
51 |
52 | ### How to Submit Your Draft Guide
53 |
54 | * When you add a new page and have your own fork, you will submit a Pull Request.
55 | * [Creating a Pull Request](https://help.github.com/articles/creating-a-pull-request-from-a-fork/){:target="blank"}
56 |
57 | Be sure to follow the progress of the issue that you opened stating what content you intended to add! This will allow you to see if others have comments or contributing information for the process, or if the site admin has responded with an updated status on your new page.
58 |
59 | If you have a question during the contribution process, do not hesitate to open an issue requesting clarification. You can also email us at icam at gsa dot gov.
60 |
61 |
62 |
--------------------------------------------------------------------------------
/pages/contribute_editpage.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Edit a Page
4 | permalink: /editpage/
5 | redirect_to: https://playbooks.idmanagement.gov/contribute/#edit-a-page
6 | ---
7 |
8 | To Edit a page:
9 |
10 | 1. **Establish a GitHub account.**
11 | You can create an account by browsing to: [Join GitHub](https://github.com/join).
12 |
13 | * GitHub allows you to remain almost anonymous if you prefer. Make sure you select the options that suit you on the “Profile” and “Emails” pages of your “Personal Settings”.
14 | * We also highly encourage you to turn on **two-factor authentication** in the “Security” page, also part of “Personal Settings”.
15 | 
16 |
17 | 2. When you want to Edit a Page, click on the **Edit this page** link in the upper right hand corner of the **webpage** OR
18 |
19 | 2. Click on the _Edit this file_ icon in the right hand corner. It will appear as a pencil icon.
20 | 
21 |
22 | 2. You will see a message that a new copy has been created for you, in your GitHub account:
23 | 
24 |
25 | 2. Change the content, or add new content.
26 | 
27 |
28 | 2. You can click the _Preview changes_ tab to see your changes
29 | 
30 |
31 | 2. Scroll down to the bottom to find the _Propose file change_ box. Enter the description for your change, and any references. Then click on **Propose file change**
32 | 
33 |
34 | 2. You will be shown the option to review the change and to **Create pull request**. A pull request is you submitting your changes, and asking for reviews and comments from your peers.
35 | 
36 |
37 | 2. You can track your Pull Request, and comments from your colleagues by going back to the repository [here]({{site.repo_url}}) and clicking the **Pull request** tab.
38 | 
39 |
40 |
--------------------------------------------------------------------------------
/pages/contribute_openissue.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Opening Issues
4 | permalink: /openissue/
5 | redirect_to: https://playbooks.idmanagement.gov/contribute/#open-an-issue
6 | ---
7 |
8 | To submit comments and open an Issue:
9 |
10 | 1. **Establish a GitHub account.**
11 | To submit a comment or open an Issue, you will need to create a GitHub account.
12 | Create an account by browsing to this site: https://github.com/join
13 | GitHub allows you to remain pseudonymous; you can select the options that suit you on the _Profile_ and _Emails_ pages of your _Personal Settings_ in your GitHub account.
14 | We also highly encourage you to turn on **two-factor authentication** in the _Security_ page, also part of _Personal Settings_.
15 | 
16 |
17 | 2. Open an issue by clicking on the **Submit Issues Here** link in the lower right hand corner of the **webpage**; OR if you are in GitHub, click the "Issues" tab.
18 |
19 | 2. **Review open and closed issues to determine if a similar issue has already been created.**
20 |
21 | 2. Click on the _New Issue_ button in the upper right of the screen.
22 | 
23 |
24 | 2. Provide a short description in the field labeled _Title_ for the feedback being provided.
25 | 
26 |
27 | 2. Enter information in the _Write_ box and describe the issue.
28 |
29 | 2. Select _Submit New Issue_ and you are done!
30 | 
31 |
32 | 2. To track comments through email and monitor future changes, choose to _Watch_ the project!
33 | 
34 |
35 | If you are familiar with GitHub, you are also welcome to provide changes as a **Pull Request**.
36 |
--------------------------------------------------------------------------------
/pages/details.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Details of a PIV Credential
4 | permalink: /details/
5 | redirect_to: https://playbooks.idmanagement.gov/piv/details/
6 | ---
7 |
8 | You can use these simple methods to view, export, and understand the information stored on a PIV credential.
9 |
10 | - [View Your PIV Credential Certificates](#view-your-piv-credential-certificates)
11 | - [Export PIV Certificates](#export-piv-certificates)
12 | - [Understand PIV Certificates](#understand-piv-certificates)
13 |
14 | ## View Your PIV Credential Certificates
15 | Almost **all** of the methods for using your PIV credential for networks, applications, digital signatures, and encryption involve the certificates and key pairs stored on your PIV credential. There are also scenarios where additional information (such as biometrics) is also accessed and used.
16 |
17 | To view your certificate information:
18 |
19 | - Insert your PIV credential into your card reader.
20 | - Choose an option from the table below and follow the steps.
21 |
22 | | Operating System | Module | Steps |
23 | | ------------- |----|----|
24 | | Microsoft | Internet Explorer | Open _Internet Explorer Browser_ -> _Tools_ wheel or Alt+X) -> _Internet Options_ -> _Content_ tab -> _Certificates_ button -> _Personal_ tab |
25 | | Microsoft | Microsoft Management Console (MMC) and Certificate Snap-in | Open _Microsoft Management Console_ -> _File_ -> _Add/Remove Snap-In_ -> _Certificates_ snap-in -> _Add_ -> _My user account_ -> _Finish_ -> Expand _Certificates - Current User_ -> _Personal_ -> _Certificates_ |
26 | | Any | Chrome Browser | Open _Chrome Browser_ -> _Settings_ -> _Security_ -> _Manage Certificates_ (_Manage HTTPS/SSL Certificates and Settings_) -> _Personal_ tab |
27 | | Any | Firefox Browser | Open _Firefox Browser_ -> _Settings_ wheel -> _Privacy & Security_ -> _Security_ -> _Certificates_ > _View Certificates_ button -> _Certificates Manager_ -> _Your Certificates_ tab
28 | | macOS X | Keychain | Open _Applications_ -> _Utilities_ -> _Keychain Access_ -> Select _Login_ -> _Categories_ -> _My Certificates_ |
29 |
30 | {% include alert-info.html heading = "View" content="You may see many certificates. To open and view the certificate details, double-click on any certificate." %}
31 |
32 | ## Export PIV Certificates
33 | We won't always be using graphical user interfaces to view the PIV credential certificates. Throughout the _PIV_ and _Federal PKI (FPKI) Guides_, we're continuing to add useful procedures for network engineers and examples of code, tools, and common _command line_ options for viewing and troubleshooting configurations. (**Note:** These examples may use files representing _public_ certificates.)
34 |
35 | {% include alert-info.html heading = "Export" content="Look for an Export button and save the file as DER or PEM-encoded, with a file extension of cer (.cer)." %}
36 |
37 | {% include alert-warning.html heading = "Keys are safe!" content="Don't worry - the public certificates are public. The private keys are always stored safely on your PIV credential and can never be exported. " %}
38 |
39 | ## Understand PIV Certificates
40 | Viewing the certificate information on your PIV credential may be interesting if you are a general user. Understanding the certificate information is a **must** if you are a program manager or engineer developing applications and designing solutions for using PIV credentials.
41 |
42 | Within the U.S. Federal Government, the certificate and PIV credential information is governed by standards, policies, and implementation-specific choices (options) across all agency credential providers.
43 |
44 | Typically, there are four certificates and four key pairs on a PIV credential. However, one pair (i.e., one certificate and one key pair) is *ALWAYS* on every PIV credential and three pairs (i.e., three certificates and three key pairs) are *SOMETIMES* on a PIV credential. You can review the [Basics of a PIV Credential](../elements/) to view the four pairs and purposes.
45 |
46 | The table below outlines the general information for the PIV credential certificates, certificate extensions, and design considerations.
47 |
48 | {% include alert-info.html heading = "Six Years" content="PIV credentials and certificates have changed over time due to updates in standards. Since users may have credentials for up to six years and there are both optional and mandatory elements, the information presented is what is valid for ALL PIV credentials and certificates currently in use. (Although credentials are valid for six years, the certificates contained on a credential are valid for only three years.)" %}
49 |
50 | | Certificate | Required | Key Usage | Extended Key Usage | Subject Alternative Name | Design Considerations |
51 | | ------------- |:----: |:----: |:----: |:----:| ----|
52 | | PIV Authentication |Always | Digital Signature | Client Authentication | otherName = FASC-N; uniformResourceIdentifier = UUID; Principal Name = _prefix_@_suffix_ | Principal Name values are **not** required by policy to be present in all Subject Alternative Name extensions. The Card UUID may also commonly be referred to as the Global Unique Identifier (GUID). |
53 | | Card Authentication |Sometimes | Digital Signature | id-PIV-cardAuth | Name = FASC-N; uniformResourceIdentifier = UUID| Card Authentication must be included in new and replacement PIV credentials issued after August 2014; it is not expected that **all** PIV credentials will have Card Authentication certificates until September 2019. The Card UUID may also commonly be referred to as the GUID. |
54 | | Digital Signature |Sometimes | Digital Signature, Non-Repudiation | Specific EKUs are required for certificates issued after June 2019 | rfc822name = email address | Email address is **not** required by policy. Email address may be multi-valued attributes and include email aliases. |
55 | | Encryption |Sometimes | Key Encipherment | Specific EKUs are required for certificates issued after June 2019 | rfc822name = email address | Email address is **not** required by policy. Encryption certificates that represent available, retired encryption key pairs may exist, depending on the PIV issuer.
56 |
57 | Additional useful information:
58 |
59 | - All key pairs for users are 2048-bit (RSA) keys
60 | - All certificates issued and certified as _PIV_ are SHA-256 signed
61 | - If you are working with _Common Access Cards_, you may still encounter SHA-1-signed certificates and might _not_ see a Card Authentication certificate
62 | - There has been testing in some infrastructures to migrate to Elliptic Curve Cryptography (ECC), but there are no ECC certificates for users in production as of the date of this guide
63 | - There has been testing in some infrastructures to migrate to 3072-bit (RSA) certificates, but there are no 3072-bit certificates for users in production as of the date of this guide
64 |
65 | In-depth details on the certificate profiles are contained in the current and historical Federal Public Key Infrastructure (FPKI) policy documents. The most recent policy and certificate profile documents may be found on IDManagement.gov's [Federal Public Key Infrastructure page](https://www.idmanagement.gov/fpki/#certificate-policies){:target="_blank"}.
66 |
67 |
--------------------------------------------------------------------------------
/pages/elements.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Basics of a PIV Credential
4 | permalink: /elements/
5 | redirect_to: https://playbooks.idmanagement.gov/piv/basics/
6 | ---
7 |
8 | There are two main categories for the features of a PIV credential: [_physical_ features](#physical-features) and [_electronic_ features](#electronic-features).
9 |
10 | ## Physical Features
11 |
12 | {:style="float:left"}
13 |
14 | An example of a PIV credential can be seen to the left.
15 |
16 | The image shows the standard placement for information such as photograph, name, affiliation, expiration date, organization, and the **chip**.
17 |
18 | PIV credentials also contain at least one security feature that aids in reducing counterfeiting, is resistant to tampering, and provides visual evidence of tampering attempts such as optical varying structures or inks, laser etching, holographic images, and watermarks.
19 |
20 |
21 | ## Electronic Features
22 | What is the chip on your PIV credential? In the easiest terms: it is a computer. It holds information **very securely** and can process data. The chip is also called a _secure element_.
23 |
24 | {% include alert-info.html heading = "Do you have a debit card with a chip or a smartphone with a SIM card?" content="These are both examples of similar technology that we use every day in our daily lives and help us secure information. You can't use your PIV credential to withdraw money, nor do you use your debit card to login to your computer or Federal applications - but you can see how similar technology is used every day." %}
25 |
26 | Most applications that use PIV credentials leverage information stored on the chip and we call this information the _logical elements_. These elements are defined in the [NIST Special Publication 800-73 series document.](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf){:target="_blank"}
27 |
28 | The following electronic elements authenticate the PIV credential as a Device:
29 |
30 | - **Cardholder Unique Identifier (CHUID)**, which is a digitally signed Federal Agency Smart Card Number (FASC-N) plus other data that can be used.
31 | - **Card Authentication**, which is a certificate and key pair that can be used to verify that the PIV credential was issued by an authorized entity, has not expired, and has not been revoked.
32 |
33 | The following electronic elements authenticate YOU as the user:
34 |
35 | - **Photograph**, which is stored on the chip, signed digitally and allows a person to confirm that the printed photo on the card has not been altered.
36 | - **Biometric Identity Information** such as fingerprints or iris/eye templates, which can be used to verify you.
37 | - **PIV Authentication**, which is a certificate and key pair and can be used to verify that the PIV credential was issued by an authorized entity, has not expired, has not been revoked, and holder of the credential (YOU) is the same individual it was issued to.
38 |
39 | The following electronic elements are for usage by YOU:
40 |
41 | - **Digital Signature**, which is a certificate and key pair allows the YOU to digitally sign a document or email, providing both integrity and non-repudiation.
42 | - **Encryption**, which is a certificate and key pair and allows YOU to digitally encrypt documents or email with your colleagues in the US Federal Government or with government Partners, providing confidentiality through ensuring that only authorized parties can read the document or email.
43 |
44 | The Card Authentication, PIV Authentication, Digital Signature, and Encryption all leverage four separate certificates and key pairs, issued from certification authorities that are audited and certified by the Federal Public Key Infrastructure (FPKI).
45 |
--------------------------------------------------------------------------------
/pages/identifiers.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Identifiers in a PIV Credential
4 | permalink: /identifiers/
5 | redirect_to: https://playbooks.idmanagement.gov/piv/identifiers/
6 | ---
7 |
8 | In applications including network domains, you will associate the PIV credential with your accounts. This is not a unique process to PIV credentials and usage, and is a general concept that occurs in many applications including your personal email accounts, your bank accounts, or your favorite social media app.
9 | {% include alert-info.html content="Associating a credential with an account is called Account Linking." %}
10 |
11 | _Identifiers_ are the values in credentials that are used for account linking. We focus on the **PIV Authentication** certificate and identifiers in this section to help you understand the options, and design and implement for using PIV to authenticate to networks and applications.
12 |
13 | The table below outlines identifiers available in the PIV Authentication certificate and design considerations for implementations.
14 |
15 | | Identifiers | Considerations |
16 | | ------------- |---- |---- |----|
17 | | Subject | Unique for every person _within the same agency_; Value does not change when a user receives a new, replaced or updated PIV credential _within the same agency_ |
18 | | Issuer and Subject | Unique for every person; Value does not change when a user receives a new, replaced or updated PIV credential _within the same agency_ |
19 | | Issuer and Serial Number | Unique for every person and certificate; Value changes when a user receives a new, replaced or updated PIV credential |
20 | | Subject Key Identifier | Unique for every person and certificate; Value changes when a user receives a new, replaced or updated PIV credential |
21 | | SHA-1 Hash of Public Key | Value changes when a user receives a new, replaced, or updated PIV credential; Commonly referred to as the thumbprint of the certificate |
22 | | Federal Agency Smartcard Number (FASC-N) | It is not recommended to use the FASC-N as an identifier; Unique for every credential _only within the US Federal Executive branch agencies_; No uniqueness for PIV credentials issued by Legislative or Judicial branch agencies, State, Local, Tribal, Territories, Partners or any credentials certified as PIV-Interoperable or _PIV-I_; Value changes when a user receives a new, replaced, or updated PIV credential; Legacy definition and usage was to support building access control systems as outlined in [this document](https://www.idmanagement.gov/wp-content/uploads/sites/1171/uploads//TIG_SCEPACS_v2.2_0.pdf){:target="_blank"} |
23 | | Card Universal Unique Identifier (UUID) | Unique for every person and credential; Value changes when a user receives a new, replaced or updated PIV credential; Card UUID value is only required to be present for new or replacement PIV credentials issued after August 2014; May also commonly be referred to as the Global Unique Identifier (GUID). |
24 | | User Principal Name in _Subject Alternate Name_ | Not required to be included in all PIV Authentication certificates; Not recommended for use as an identifier to achieve full interoperability for networks or applications; Commonly used for enterprise smart card logon / network authentication in _legacy_ implementations |
25 |
26 | For all items referencing an _agency_ in the table, you should consider the reference as the small organizational unit. For example, a user who switches between one component in a large agency to another component may receive a new Subject name when the user requires a replacement PIV credential.
27 |
--------------------------------------------------------------------------------
/pages/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Introduction - PIV Guides
4 | permalink: /
5 | redirect_to: https://playbooks.idmanagement.gov/piv/
6 | ---
7 |
8 | These **Personal Identity Verification** (PIV) Guides are intended to help you implement common PIV configurations at your organization. These guides are [open source]({{ site.repo_url }}) and a _work in progress_ and we [welcome contributions](contribute/) from our colleagues.
9 |
10 | The guides focus on using PIV credentials for _logical access_ such as authenticating to networks or applications, or digitally signing and encrypting. Using PIV for _physical access_ will be covered under another set of guides.
11 |
12 | If you cannot find a particular topic, it may still be in development. Review the [Issues]({{ site.repo_url }}/issues) for questions and lessons that are in progress. Create a new [Issue]({{ site.repo_url }}/issues) to ask a question or share information with others.
13 |
14 | Read on to learn more about PIV credentials.
15 |
16 | 1. [What is PIV?](#what-is-piv)
17 | 1. [What is in the PIV Guides?](#what-is-in-the-piv-guides)
18 | 1. [Why is PIV usage important?](#why-is-piv-usage-important)
19 | 1. [What systems should use PIV?](#what-systems-should-use-piv)
20 | 1. [Where can I find the Standards?](#where-can-i-find-the-standards)
21 |
22 | ## What is PIV?
23 |
24 | A Personal Identity Verification (PIV) credential is a US Federal governmentwide credential used to access Federally controlled facilities and information systems at the appropriate security level.
25 |
26 | PIV credentials have certificates and key pairs, pin numbers, biometrics like fingerprints and pictures, and other unique identifiers. When put together into a PIV credential, it provides the capability to implement multi-factor authentication for networks, applications and buildings.
27 |
28 | ## What information is in these PIV guides?
29 | First, we cover the basics of PIV credentials, including:
30 |
31 | - What PIV is, contains and looks like;
32 | - The basics of getting started with PIV credentials; and
33 | - Using PIV for network authentication (smartcard logon).
34 |
35 | We also cover applications, and guidance for developers and users - which need your input!
36 | {% include alert-success.html heading = "Share your expertise" content="Please contribute and share your lessons for configuring systems or applications, tuning considerations, code, common challenges, troubleshooting errors, as well as anything else you think would be helpful for your colleagues." %}
37 | ## Why is PIV usage important?
38 |
39 | Enabling systems and facilities to use PIV credentials for authentication enhances agency security. PIV credentials allow for a high level of assurance in the individuals that access your resources, because they are only issued by trusted providers to individuals that have been verified in person. PIV credentials are highly resistant to identity fraud, tampering, counterfeiting, and exploitation.
40 |
41 | PIV credentials are _standardized_ as well. PIV credentials might be issued by different organizations using different commercial or open source products, on different form factors (cards, mobile devices, etc). However, PIV credentials are standardized - every PIV credential is required to have specific information, using technology which is _interoperable_.
42 |
43 | Your PIV credential from one agency will have the same basic required format, information and technology as a PIV credential from your partner agencies. This allows us to trust each other, share applications, and architect and implement systems using common patterns for authentication.
44 |
45 | ## What systems should use PIV?
46 | Any system at your organization that requires heightened security for determining who should gain access can and should use PIV for authentication. While PIV credentials can be used for authentication on almost any system, they are especially useful for systems that protect sensitive information.
47 |
48 | PIV should be used for:
49 |
50 | * All authentication for all _privileged_ users including servers, networks, and applications;
51 | * All _network_ authentication for _all_ users;
52 | * All application authentication for _all_ users of an application that protects or contains sensitive information; and
53 | * Access to facilities and buildings.
54 |
55 | ## Where can I find the Standards?
56 | Review the information on this site if you are interested in PIV credentials or work on _using_ PIV credentials.
57 |
58 | If you are interested in the bits and bytes of PIV credentials, you can review the Standards (see below), particularly if you develop products such as hardware or software that are _specific_ to PIV credentials for the US Federal Government. (For most users and engineers, the Standards may be too detailed for your needs.)
59 |
60 | To review the Standards, there is a [NIST website](http://csrc.nist.gov/groups/SNS/piv/standards.html){:target="_blank"}{:rel="noopener noreferrer"} with all PIV related Standards. Links to some of the most common Standards:
61 |
62 | - **[FIPS-201](http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf){:target="_blank"}{:rel="noopener noreferrer"}** specifies the issuance and management of PIV credentials.
63 | - **[NIST Special Publication 800-73, "Interfaces for Personal Identity Verification"](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf){:target="_blank"}{:rel="noopener noreferrer"}** specifies the interface and data elements of PIV credentials.
64 | - **[NIST Special Publication 800-76, "Biometric Data Specification for Personal Identity Verification"](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-76-2.pdf){:target="_blank"}{:rel="noopener noreferrer"}** specifies the technical acquisition and formatting requirements for biometric data of PIV credentials.
65 |
--------------------------------------------------------------------------------
/pages/start.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Getting Started
4 | permalink: /start/
5 | redirect_to: https://playbooks.idmanagement.gov/piv/gettingstarted/
6 | ---
7 |
8 | You need two items to begin using your PIV credential:
9 |
10 | * A [card reader](#card-readers) (hardware)
11 | * [Middleware](#middleware) (software) that works with your computer
12 |
13 | {% include alert-success.html content="With just their PIV credential, a card reader and middleware - your users can login to websites that are PIV enabled, digitally sign email and documents and files, and encrypt!" %}
14 |
15 | ## Card Readers
16 | A card reader is exactly what the name suggests: a piece of hardware which helps read the card.
17 |
18 | > *A card reader is the hardware that supplies power to the chip, and allows the computer operating system to talk to the PIV credential chip operating system.*
19 |
20 | Card readers are available in many shapes and sizes - to fit both the PIV credential, and to plug into your computers. There is a card reader that will work for any shape and size of the computer you use including card readers for USB and microUSB ports. There are fold-up readers, there are readers that sit on your desk, there are keyboards with readers, there are readers that connect to tablets, and there are readers built into laptops.
21 |
22 | {% include alert-info.html heading="ISO 7816" content="If you need to buy a card reader for computers, you will need one that specifies support for ISO 7816." %}
23 |
24 | You can buy a card reader for personal use from a number of commercial online retailers. When buying card readers for your agency, you can use [GSA Advantage](https://www.gsaadvantage.gov/){:target="_blank"} to directly purchase the card readers.
25 |
26 | Before you buy a card reader, look around and ensure you don't already have one. A large portion of government laptops have the card readers already, and desktops may have keyboards with readers built-in.
27 |
28 | If you have a Mac OSX or Linux based computer, you probably don't have a card reader built in. Find a card reader option that you like and let's move on to Middleware.
29 |
30 | ## Middleware
31 | For PIV credentials, _middleware_ refers to the computer software or drivers which allow the computer to interact with the PIV credentials to support authentication, digital signatures, encryption, and integrations with your software tools.
32 |
33 | For common PIV credential usage scenarios, the table below outlines the _general smartcard middleware_ available as open or government source or included in operating systems for use scenarios. Commercial options for PIV Middleware are available and the list of NIST certified PIV Middleware can be viewed [here on the NIST website](http://csrc.nist.gov/groups/SNS/piv/npivp/validation.html){:target="_blank"}.
34 |
35 | {% include alert-info.html content="Consider how to support your email client software, virtual private network software, and which browsers are used if you're choosing middleware for all your agency enterprise users." %}
36 |
37 | | Name | Operating System and Versions | Support | Considerations |
38 | | ------------- |----|----|----|
39 | | Windows mini-driver | Windows 7, Windows 8, Windows 10, Windows 2008, Windows 2012 | Yes | Included in Windows operating systems and requires no installation. Does not include the functionality to perform full lifecycle management of a PIV credential. Does not support using your PIV credential with non-Microsoft cryptographic service providers such as those used by Mozilla Firefox browser. |
40 | | OpenSC | Mac OSX 10.5, Mac OSX 10.6, Mac OSX 10.7, Mac OSX 10.9, Mac OSX 10.10, Windows (32-bit and 64-bit), Linux, *nix versions vary | Open Source | Open source software. Limited commercial support for maintenance and patching. Supports PKCS#11; for example, as used by Mozilla Firefox browser. |
41 | | Smart Card Services | Mac OSX 10.6, Mac OSX 10.7, Mac OSX 10.9, Mac OSX 10.10 | Open Source | Open source software. Limited commercial support for maintenance and patching. |
42 | | CoolKey | Linux, *nix versions vary | Open Source | |
43 | | CACKey | Linux, *nix versions vary | US Government Source | Available from Forge.mil |
44 | | **Commercial options** | Varies | Yes | Review support for your usage needs such as email signing, encryption, network authentication, VPNs, and website authentication |
45 |
46 |
47 | You may need to consider Network authentication, Virtual Private Network (VPN), email signing, email encryption, document signing, document encryption and website authentication when choosing one or more middleware options for yourself or your users. In most cases, you can choose a middleware option that works for the most common uses for your purposes or mix and match based on operating systems and devices.
48 |
49 | ### Middleware definitions
50 |
51 | _Middleware_ as a general computer term can encompass any software that provides integration points for an application. In the Standards for PIV credentials, the term _PIV middleware_ is used and a common question is "What is the difference between PIV Middleware and general smartcard middleware?" To simplify, we'll define the two terms as we use them for PIV credentials in these guides:
52 |
53 | **PIV Middleware:**
54 |
55 | > _Client side software which implements the full set of application programming interfaces and card functions as specified in NIST Special Publication 800-73-4, and has been certified as compliant to the NIST Special Publication 800-85A series testing procedures. The PIV compliant middleware implements all lifecycle functions including the ability for a user to perform PIN resets, activation, and renewals. The PIV compliant middleware may also implement common usage functions to support authentication, digital signatures, encryption, and integrations with multiple operating system cryptographic libraries._
56 |
57 | **General smartcard middleware:**
58 |
59 | > _Client side software which implements common functions for an operating system and cryptographic libraries to interface with PIV credentials or other smartcards for usage. The general smartcard middleware may implement functions to support authentication, digital signatures, encryption, and integrations with multiple operating system cryptographic libraries._
60 |
61 | For common PIV credential usage scenarios, we outline the _general smartcard middleware_ available as open or government source or included in operating systems for use scenarios. Commercial options for PIV Middleware are available and the list of NIST certified PIV Middleware can be viewed [here on the NIST website](http://csrc.nist.gov/groups/SNS/piv/npivp/validation.html){:target="_blank"}.
62 |
63 |
64 | ## Next Steps
65 | You have a PIV credential, you have a card reader, and you have middleware for your computer. **Now what?**
66 |
67 | If you want to learn more about details of PIV credentials, certificates, and how to configure a network or web application, the next [section](../details) is for you.
68 |
--------------------------------------------------------------------------------
/pages/template.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: default
3 | title: Template Title of This Page
4 | permalink: /template/
5 | redirect_to: https://playbooks.idmanagement.gov/
6 | ---
7 |
8 | Markdown is a simple way of writing and formatting. The formats can be used across many different platforms including for websites and documents. We created a sample template to help you with your page.
9 |
10 | To review information on how to contribute and how to Add a New Page: https://piv.idmanagement.gov/contribute
11 | If you want to learn more about markdown formatting: https://guides.github.com/features/mastering-markdown/
12 |
13 | You can copy and paste this template into a new page, and use the sample markdown.
14 |
15 | You probably noticed this block at the top of the page.
16 |
17 | layout: default
18 | title: Title of the Page
19 | permalink: /template/
20 |
21 | This block at the top of the page is used for website navigation when your guide is posted. Update the _Title of the Page_ and the _/template/_
22 |
23 | ## Overview
24 |
25 | To begin your guide, briefly state its purpose in one to two sentences for an Overview. You may include information on the intended audience, the intended outcome of the guide, and any other information that would help the user to understand the guide.
26 |
27 | Then add a table of contents link for each section. For example:
28 |
29 | * [Section 1 Title](#words-in-section1-title-separated-by-dashes)
30 | * [Section 2 Title](#words-in-section2-title-separated-by-dashes)
31 | * [Section 3 Title](#words-in-section3-title-separated-by-dashes)
32 |
33 | We propose these sections for most guides:
34 |
35 | ## Before You get Started
36 | This section should tell the user what to prepare before starting a set of procedures. Explain any assumptions as bulleted lists. Clearly state the hardware and software requirements.
37 |
38 | ## Procedure 1
39 | This section should tell the user how to achieve the goal. Explain all steps simply and don't try to recreate other resources that are easily found. Focus on the government and what can be unique when implementing or executing.
40 |
41 | ## Procedure 2
42 | This section should tell the user how to achieve the goal. Explain all steps simply and don't try to recreate other resources that are easily found. Focus on the government and what can be unique when implementing or executing.
43 |
44 | Here are sample markdown formats for you:
45 |
46 | Headings use the hash sign with a space.
47 |
48 | ## This Is a Second-Level Heading
49 | ### This is a third-level heading
50 | #### This is a fourth-level heading
51 |
52 |
53 | ### Number List Items
54 |
55 | 1. Step 1 of procedure. (Indent 2 spaces, enter a number, and add 1 space.)
56 | 2. Step 2 of procedure.
57 |
58 | ### Bullet List Items
59 |
60 | * Bullet 1 (Indent 2 spaces, enter an asterisk, and add 1 space.)
61 | * Bullet 2
62 |
63 | ### Bold and Italics
64 |
65 | * Use double asterisks to bold a word: **bold**.
66 | * Use underscores to create italics: _italics_.
67 |
68 | ### Code Blocks
69 |
70 | To create a code block, use spaces, backticks (```), and Returns in this order:
71 |
72 | * 4 spaces plus 3 backticks (```) to start the code block
73 | * A Return
74 | * Type or paste in the code that the user needs to enter for a specific step
75 | * Another Return
76 | * 4 spaces plus 3 backticks to end the code block
77 | * Another Return
78 |
79 | For example:
80 |
81 | ```
82 | Text within three backticks for code or command line samples
83 | ```
84 |
85 | ### Code Comments
86 |
87 | Code comments will be invisible in a webpage view, but others will be able to see the comment in GitHub Markdown.
88 |
89 | ### Images
90 |
91 | To insert an image into your Page, upload the image file to the **/img/** folder in the GitHub repository. Then at the image insertion point in your page, add these formats to link to the image.
92 |
93 | 
94 |
95 | {:align="right"}
96 |
97 | {:style="float:left;width:25%;"}
98 |
99 |
100 | ### Links to Other Documents
101 |
102 | To link to useful references, information:
103 |
104 | [This is what I want my link to say]({{site.baseurl}}/insertlink/)
105 |
106 | To link to a document, or to another website, you need to always open the link in a new window:
107 |
108 | [This is what I want my link to say](https://www.governmentagency.gov){:target="blank"}
109 |
110 |
111 |
112 |
--------------------------------------------------------------------------------
6 | 
10 | 
7 | An official website of the United States Government
8 |