The National Institute of Standards and Technology, U.S. Department of Commerce has defined a smart card application. Although not a "national ID card", it is expected to be used widely in the U.S.federal government and its contractors. Cards with this application are commonly referred to as PIV cards.

NIST 800-73-1 and related documents define PIV. Part 3 of 800-73-1 defines the ADPU commands accepted by the PIV application on the card. The standard does not define all the commands needed to administer a card, leaving this up to the card vendors and card administration software vendors.

The non-administrative commands are standardized, and so any vendor's card with the PIV application should inter operate with any vendor's client software. The pkcs11-tool can be used to read the objects on the card and to change the user PIN.

The piv-tool is provided to allow for some card administration in testing, such as generating a key pair, and loading a certificate or other object on the card. You may need more information from your card vendor.

The PIV is not a PKCS#15 type card, but rather an object based application. OpenSC provides a PKCS#15 emulator to access the four certificates and keys, along with the data objects. Thus for example the "X.509 Certificate for PIV Authentication" can be used with PKCS#11 for login or web access.

OpenSC 0.11.2 added support for certificates that are gzip'ed. But only 1024 bit RSA keys are supported. Changes are being added to 0.11.3 to support 2048 and 3072 bit RSA keys.

OpenSC 0.11.1 did not search arbitrary cards for the PIV application, and set the max_send_size and max_recv_size to low for PIV cards. With 0.11.1 you needed to add the ATR of specific vendor's cards to the opensc.conf. This was fixed in 0.11.2. The ATR of your card can be read using the opensc-tool.

Sample changes needed for 0.11.1 in the opensc.conf file to use some GemAalto and Oberthur PIV cards:

...
    reader_driver xxxxx {
...
        max_send_size = 255;
        max_recv_size = 256;
...
    }
...
    card_atr 3B:7D:96:00:00:80:31:80:65:B0:83:11:11:AC:83:00:90:00 {
            # GemAlto
            name = "PIV-II";
            driver = "piv";
        }
    card_atr 3b:db:96:00:81:b1:fe:45:1f:03:80:f9:a0:00:00:03:08:00:00:10:00:18 {
            #    Oberthur 
            name = "PIV-II";
            driver = "piv";
        }
...
    framework pkcs15 {
...
        emulate PIV-II {
        }
...
    }
...

Links

PIV Overview

http://csrc.ncsl.nist.gov/piv-program/

PIV Card Edge Specifications with ADPUs

http://csrc.nist.gov/publications/nistpubs/800-73-1/sp800-73-1v7-April20-2006.pdf

PIV Approved Cards, Readers, Middleware etc

http://fips201ep.cio.gov/apl.php