Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
- Subject: Re: [Fed-Talk] [Smart Cards] Tiger Login - DRAFT
- From: Brian Raymond <email@hidden>
- Date: Wed, 01 Jun 2005 19:02:52 -0400
Thanks for the info...
I've tried a number of different sites, both public and private with no
luck. All of these sites work fine with the same reader and my 10.3 box
(thankfully I didn't upgrade my G5 yet) but fail on both 10.4 boxes I have.
Given that I assumed it wasn't the sites but rather my OS/hardware.
It's interesting that things started working for you though, I'll give it
another shot and see what happens.
- Brian
On 6/1/05 6:57 PM, "Michael Kluskens" <email@hidden> wrote:
> Apparently the problem I was seeing was a flaw in the web site I was
> accessing, either they fixed the problem or my system is working
> around it now.
>
> I recommend trying the test page at Navy Infosec <https://
> infosec.navy.mil/ps/?t=main/main.tag&bc=main/bc_main.html> before
> assuming the problem is your OS or hardware (I'm using a flashed
> ActivCard reader with no problem now).
>
> My first try I found Safari/Keychain subsystem was presenting the
> wrong certificate, but it seems to have remembered which one to present.
>
> Also, I switched my boot drive back to standard journaled only (not
> case-sensitive) and now Keychain Access is working properly, before
> it was almost working.
>
> Michael
>
> ps. Retrospect duplicate function has a problem with case-sensitive
> filesystems, I haven't had time to report it yet. Lost a bunch of
> new files when duplicating a case-sensitive file system to a case-
> insensitive file system on my way back to a more standard filesystem.
>
> On Jun 1, 2005, at 6:34 PM, Brian Raymond wrote:
>
> Since the problem of our CAC cards not working is possibly related to
> the
> fact that we are using flashed ActivCard readers I wanted to check to
> see if
> anyone has tried to flash their reader back with the ActivCard
> firmware? I
> haven't looked into it yet so I wanted to see if I'd just be spinning my
> wheels?
>
> Thanks..
>
> - Brian
>
>
> On 5/24/05 10:57 AM, "Michael Kluskens" <email@hidden>
> wrote:
>
>
>> I'm having some issues with CAC and 10.4
>>
>> I've done testing on OS X 10.4.1 on a standard journaled file system
>> and on a case-sensitive, journaled file system, with no apparent
>> difference between them.
>>
>> The only configuration setup I attempted is in Keychain Access and
>> that configuration step refuses to "stick" on my machine. (I also
>> tried sc_auth accept but I get "Access Restricted" and I don't know
>> what that means).
>>
>> OS X Mail works with encryption, decryption, and signing with no
>> additional configuration.
>>
>> Safari responds with "The client certificate has been revoked" when I
>> visit a local PKI enabled site (it's optional for this site hopefully
>> that is not the cause of the problem). Mozilla also can not access
>> that site under 10.4 if the CAC is in.
>>
>> My CAC card reader is a ActivCard reader that was flashed to work
>> with 10.3 and I have to assume it is working fine since OS X Mail is
>> fully operational in CAC functions. sc_hash gives the hashes for all
>> three keys on the CAC.
>>
>> On May 9, 2005, at 2:45 PM, Shawn Geddis wrote:
>>
>>> Smart Cards in "Tiger" - 10.4.x
>>> =====================
>>> Smart Cards (CAC, GSCIS, PIV, JPKI, BELPIC, ....) are all
>>> abstracted as keychains
>>>
>>
>> Can the Smart Card keychain be seen in the "Keychain Access"
>> application and where? On my machine, the sections labeled "keys"
>> and "My certificates" are empty.
>>
>>
>>> ** Address Book
>>> Now also displays the "signing" check symbol just left of email
>>> addresses that the user has corresponding Public Cert in their
>>> keychain. The Cert is NOT stored in the keychain, but represents a
>>> relationship with one in one of the currently active keychains.
>>>
>>
>> This works, but I think there is a wording error here, the Cert is
>> stored in the keychain, it is NOT stored in the Address Book.
>>
>>
>>> "Common Access Card Viewer" functionality is largely now available
>>> since the Smart Cards appear as dynamic keychains. You can view
>>> the Certificate and Key information as well as change the PIN on
>>> the card by selecting the "Change Password for Keychain ...".
>>>
>>
>> This does not work at all for me, the only keychain I have is my
>> regular software keychain, I see no evidence of the CAC card in
>> Keychain Access.
>>
>>
>>> 2) The DoD Intermediate CAs are not available to the Keychain List
>>> by default
>>> -- Federal Customers within DoD will need to add the
>>> "X509Certificates" to the list
>>>
>>> a) Launch Keychain Access
>>> b) Select "Edit -> Keychain List"
>>> c) Select "Show: Mac OS X (System)"
>>> d) Check "Shared" checkbox next to
>>> "X509Certificates" (/System/Library/Keychains)
>>> e) X509Certificates will now appear in the Keychains
>>> List and will be available for
>>> Intermediates for the whole trust path
>>> validation.
>>>
>>
>> This is what totally fails on my system. First off the check mark
>> is not there if I immediately or any time afterwards go back into
>> this menu. Also, I note that I also have System /Library/Keychains
>> which is shared and X509Anchors /System/Library/Keychains which is
>> not shared (and not shareable just like X509Certificates). Under
>> User I also have System /Library/Keychains which is shared.
>>
>> I created a brand new account and the problems existed there as well.
>>
>> Michael
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>> 40dataline.com
>>
>> This email sent to email@hidden
>>
>>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
> 40nrl.navy.mil
>
> This email sent to email@hidden
>
>
>
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden