White Paper

HP Common Access Card Solution March 2007

Page 4

4 Session Sequence

The following represents the sequence of events for a user’s CAC session:

• User is prompted to insert CAC

• User inserts CAC into attached card reader

• CAC is validated – accomplished by the following steps

– User is prompted to enter PIN

– PIN is validated

– Certificate is read from CAC

– Verify that certificate is not revoked by checking CRL/OCSP

• Call Kerberos Pkinit with certificate

• Kerberos Pkinit returns encrypted tickets

• Kerberos Pkinit decrypts tickets with private key from CAC

• Kerberos Session Ticket used to call LDAP Active Directory lookup

• Active Directory user information returned

• User selects Send to e-mail or Scan to network folder

• Active Directory user information applied to Send to e-mail or Scan to network

folder

• User takes CAC out of reader, ending the session

• Certificate temporarily stored on device is securely erased

• User selects feature using “DoD CAC” Authentication Agent at the HP MFP