Hello, I do not know for sure, but as informed about e-CPF, it should look like the scheme of a company that has its CNPJ and digital certificate to issue valid notes (NF-e), the digital certificate would work with this e-CPF, which runs some kind of encryption on the data in order to protect them and make them accessible only with the key credential, which in this case would be e-CPF.
So, if I need to inform, change, modify or otherwise operate with tax data from company X officially on federal revenue, I first need to format the data in the standard that is accepted, and point them out, run an algorithm that uses the company's digital certificate X as a base, which has a lot of information that serves as a hash to generate the signature in the tax document and finally makes it valid and true.
In the case of e-CPF, installing the dock ubs to the card is enough. Because for example, if you enter the site of such an organ, and it requests a certificate from your machine to authenticate your session on the site, it automatically looks for if there is a valid certificate. The installation of the certificate is valid for type A1 certificates. About users can vary, depends on your need, whether it will stay on a server if all users of such machine will perform operations with such a certificate or only one person. If it is a user only, in the user itself, otherwise the machine installation. Remember that the A3 certificate type only requires the installation of the usb dock driver that you will plug the card into, hence the applications can see it.