Currently we have this difficult to use "external registration" facility that allows the admin to configure a list of certificates to add to or delete from a particular user's token. The process is entirely manual and a painstaking list of certs and keys to retrieve has to be encoded within a specific LDAP attribute.

This proposal is based on the assumption that the core back-end external reg functionality is worth leveraging.

Now that we have a very nice and convenient TPS UI, it makes sense to provide a nice front end to this, instead of making the admin search through ldap servers for certificate Here is what could be done: Note mockups could come later if idea is considered to have merit:

1. We can display a nice window/tab of the certs already on a given token.
2. UI can be written to drag certs off for delete and provide a way to add certificates.
3. Now that we have this nice Rest interface for the CA and KRA, the UI can reach out to the ones configured within the given token profile to search for certificates. Possibly the key search can be automated based on certificate.
4. We can have a tab or popup that allows one to search a CA for certificates based on basic filters. Once a candidate cert is found, a click can add it to the token.
5. As certs are added and deleted the display will be clearly updated to show the user the proposed contents of the token. Hovering over a cert will pop up the info about that like serial number, source ca, private key, etc.
6. Once all editing is done, the exact same external reg record that get created now can be written to the ldap store. This way the rest of TPS otken operations are virtually unchanged.
7. Here the back end, could be instructed to actually check to see if it can find the info for each cert and know if the cert and key has a chance of being retrieved at all. An error message could disallow the cert if it can't be found.

Should we decide to later throw away the external reg at the server level, the MVC nature of our TPS UI, should allow us to hook the front end to a different back end with not huge cost.

This thing will of course depend upon our maintaining an accurate depiction of what is on the token.