I know very little about smart card authentication in general so please point out or correct me if anything below doesn't make sense.

Lets say i have:

• A Certificate Authority "X"-s smart card (non-exportable private key)
• Drivers for that smart card written in C
• A smart card reader
• CA-s authentication OCSP web service
• A requirement to implement user authentication in a .NET fat client application via a smart card, that was given out by the CA "X".

I tried searching info on the web but no prevail. What would the steps be ? My first thought was:

Set up a web service, that would allow saving of (for example) scores of a ping pong game for each user. Each time someone tries to submit a score via the client application, he can only do so by inserting the smart card into the reader.

Then the public key is read from the smart card by native c calls through .NET and sent to my custom web service, which in return uses the CA-s authentication OCSP web service to prove the validity of the public key/public certificate (?). If the public key is okay and valid, encrypt a random sequence of bytes with the public key and send it to the client application. If the client application sends back the correctly decrypted random sequence of bytes along with the score of the ping pong game, then the score is saved in the database for the given user.

My question is, is this the correct way to do it ? What else should i know about smart card authentication ?