White Paper
HP Common Access Card Solution March 2007
Page 4
4 Session Sequence
The following represents the sequence of events for a user’s CAC session:
• User is prompted to insert CAC
• User inserts CAC into attached card reader
• CAC is validated – accomplished by the following steps
– User is prompted to enter PIN
– PIN is validated
– Certificate is read from CAC
– Verify that certificate is not revoked by checking CRL/OCSP
• Call Kerberos Pkinit with certificate
• Kerberos Pkinit returns encrypted tickets
• Kerberos Pkinit decrypts tickets with private key from CAC
• Kerberos Session Ticket used to call LDAP Active Directory lookup
• Active Directory user information returned
• User selects Send to e-mail or Scan to network folder
• Active Directory user information applied to Send to e-mail or Scan to network
folder
• User takes CAC out of reader, ending the session
• Certificate temporarily stored on device is securely erased
• User selects feature using “DoD CAC” Authentication Agent at the HP MFP