Mailing Lists: Apple Mailing Lists
 Image of Mac OS face in stamp
[Fed-Talk] [Announcement] OS X Lion - Smart Card Services
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fed-Talk] [Announcement] OS X Lion - Smart Card Services


Fed-Talk Subscribers,

Smart Card Services and the ability to develop support for a multitude of Smart Card devices and profiles based on CDSA/Tokend has been available in OS X since version 10.4.  Approximately two years ago, Apple officially moved the already open sourced components to an organized open source project at MacOSForge.org which has been lead by Shawn Geddis, Enterprise Security Consulting Engineer with involvement from key leads within the open source community.  This project has driven the ongoing development and support for additional readers and smart card profiles which were then incorporated into OS X 10.5 through 10.6.  *See "Previous Updates.." at the end of this message for more details.

As Apple continues to drive innovation in the mobility space, it is necessary to continually reevaluate how OS services can be enhanced to better serve Apple's customer base.  Apple has had to make some tough decisions relating to the current Smart Card Services architecture.  

OS X Lion Support ?
With the release of OS X Lion, Smart Card Services are deprecated and will not ship as a customer functioning service.  That does not mean that customers will be unable to continue to use their Smart Cards with OS X Lion.  It does mean that all of the necessary components will not come pre-shipped in OS X Lion along with related support.  Customers needing to continue to use their Smart Cards with OS X Lion will need to pursue one of the options mentioned here later according to their needs and requirements.

Why the change ?
The foundational components for Smart Card Services in OS X have been based on an architecture (CDSA) that has been deprecated in the released version of OS X Lion.  This indicates CDSA's use and support has stopped and will be removed completely in a future release of OS X.  Any solution for OS X still leveraging the deprecated CDSA can continue to function for now, but the CDSA infrastructure would no longer receive enhancements or bug fixes.  CDSA will no longer ship in future releases of OS X. 

Apple clarified the migration from CDSA for developers during the WWDC 2011 Conference in San Francisco (June 6-10) during the "Next Generation Cryptographic Services" Session 212.  [Those with developer access can view the Conference Videos via ADC on iTunes.]

What was changed ?
The Smart Card Services deprecation was limited to the following components no longer shipping in OS X.

  • No Tokend modules ship with OS X Lion (10.7)
    • Directory: /System/Library/Security/tokend/
  • Authorization Mechanism reference missing
    • /etc/authorization is the authorization database 
    • Right:   system.login.console
    • mechanism: builtin:smartcard-sniffer,privileged

Options Going Forward
Apple's need to deprecate what was there and focus on innovative approaches to solving the digital identity challenges on both OS X and iOS moving forward does not preclude customers from using Smart Cards on OS X 10.6 and even on 10.7.  Any developer / user is expected to be able to continue to use their Smart Cards on OS X 10.6 & 10.7 as long as they have a supported Tokend for the Smart Card profile installed.  This would require a non-Apple provided Installer.

Open Source Options
The MacOSForge.Org - SmartCardServices Project has provided the actual supported versions for 10.5 & 10.6 and plans to continue to provide that capability for 10.7.  The Project participants plan to post additional installers for customers to have the continued capabilities as were there in OS X 10.6 for as long as is technically feasible - with no guarantee of compatibility with future releases of OS X.  If the Tokend was previously shipped as part of OS X, then updates would need to be obtained here from the SmartCardServices Project (BELPIC, CAC, CACNG, PIV).  OpenSC is an alternative Open Source Smart Card project for CDSA on OS X.

Commercial Options
If the Tokend was independently developed, installation on 10.7 is expected to continue working given any additional configuration that may need to be done such as authorization database update, but again with no guarantee or support from Apple.  There have been a handful of commercially available products with more complete implementations and purchasable support contracts which many Federal/Commercial customers prefer.  Each of the commercial products available has a particular target market and list of supported Smart Cards and Tokens.

What option is for me ?
Apple encourages all customers to pursue the option above that best suites their technical and support needs.  Both options have their own pros and cons, so you will need to weigh them against your organizational and personal needs.

ALL Smart Card related questions, comments, bug submissions should be targeted at one of the above options.  
Smart Card Services on OS X based on CDSA is no longer supported by Apple starting with OS X Lion 10.7.

-Shawn
__________________________________________________
Shawn Geddis       email@hidden
Security Consulting Engineer                              email@hidden

MacOSForge Project Lead: Smart Card Services 
__________________________________________________




Previous Updates provided from the SmartCardServices Project on MacOSForge.Org:

OS X 10.5.4 - 10.5.5
Smart Card Services Update (SCSU) v1.2 (Installer)
1) CCID Cass Driver (v1.3.8) /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle
2) CAC Tokend (Updates)  /Sytem/Library/Security/tokend/CAC.tokend
3) PIV Tokend (Updates) /Sytem/Library/Security/tokend/PIV.tokend
3) PCSC Framework /usr/sbin/pcscd

OS X 10.5.6
SCSU integrated into OS X SCSU v1.2 Fully integrated into OS X 10.5.6

OS X 10.6.0
SmartCardServices - 64-bit All components supporting 64-bit
TokendPKCS11 PKCS#11 Shim on CDSA - Support PKCS#11 access of Tokend supported Card

OS X 10.6.0-10.6.7 / 10.5.6 - 10.5.8
1) CAC-NG Tokend BETA builds have been available to access CAC-NG (CAC/PIV) - Gemalto TOPDLGX4 144

OS X 10.6.7 
1) CAC-NG Tokend  (NEW) /Sytem/Library/Security/tokend/CACNG.tokend  -- Apple shipped the beta Tokend

OS X 10.7.0
1) CCID Cass Driver (v1.3.11) /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle

Work continues under the MacOSForge Open Source Project
Any discussion, requests, bug reports, etc. should all be directed to the appropriate Mailing Lists on MacOSForge.Org if that is your chosen option mentioned earlier.  The disclaimer here is that, from this point forward, all work provided by the Project in whatever form will not ship in a future release of OS X, but will be provided as an available open source resource.

Web: http://smartcardservices.macosforge.org/
Lists: http://lists.macosforge.org/mailman/listinfo


Attachment: smime.p7s
Description: S/MIME cryptographic signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.