More CAC issues [was- [Fed-Talk] PKINIT and Kerberos
More CAC issues [was- [Fed-Talk] PKINIT and Kerberos
- Subject: More CAC issues [was- [Fed-Talk] PKINIT and Kerberos
- From: George Polich <email@hidden>
- Date: Tue, 15 Nov 2005 13:44:16 -0500
- Thread-topic: More CAC issues [was- [Fed-Talk] PKINIT and Kerberos
Along the lines of those same questions is an upcoming (beginning Jan.) Army
issue that would end Army use and sales of Macs.
Not later than end of 2nd Qtr '06 the Army will fully implement "Two-Factor
Network Authentication for User Accounts." Supposedly driven by HS
Presidential Directive-12 on common ID standard. In short: CAC and CAC PIN
(the two factors) will be required to login to anything Army using
"cryptographic capability of MS Active Directory."
Since Macs are not yet (and from my foxhole seems likely may never be,)
allowed to "join" the AD, this requirement appears to effectively lock the
Apple product from any use on an Army network. Without useful network
connectivity and capability, the Mac line is a nice form, but simply not
functional.
The local DOIMS have been told to implement, and that they will. No amount
of "user requests, user support" from Mac users will persuade them to work
around the "higher headquarters" directives. So previous comments from the
Apple representatives that we make our desires known will have no weight. If
NETCOM or CIO/G-6 provides guidance (or better, directive) from "above" that
Macs can join AD, then the locals will allow or comply. Rightly or wrongly
the local DOIMS see themselves as implementers and network defenders, but
never as advocators.
That means some immediate and active involvement from the Apple Federal
office is needed. If not, Army sales are history unless offices want to go
"sneaker net" for any and all work product -- I don't think offices will be
doing that: its inefficient and unproductive. And I, as well as many others,
do not have either time or money to waste on something not useful in a
collaborative environment. Stand alone functionality, regardless of how
great, is irrelevant.
~~
George Polich
Deputy Director
Army Public Affairs Center, HQDA
301.677.7172
On 15/11/2005 11:35, "Nebergall, Christopher" <email@hidden> wrote:
> As the PKINIT draft is nearing become a standard
> <http://tools.ietf.org/wg/krb-wg/draft-ietf-cat-kerberos-pk-init/draft-i
> etf-cat-kerberos-pk-init-29.txt>
> http://tools.ietf.org/wg/krb-wg/draft-ietf-cat-kerberos-pk-init/draft-ie
> tf-cat-kerberos-pk-init-29.txt I had some questions on Apple's support
> of the standard.
>
> 1. Does apple currently have any support for PKINIT?
> 2. Is any support planned?
> 3. If Macs do/start to support PKINIT will support of the protocol be
> rolled back into normal MIT Kerberos sources?
>
> Without support for Kerberos, Smart Cards on Macs are largely not useful
> to my site to do anything but access the box itself. If any one has
> had any luck or ideas on how to use smart cards on a Mac to access a
> wide variety of resources external to the box itself (i.e. Network file
> systems, SSH, web pages) I'd appreciate some tips.
>
> Thanks,
> Christopher Nebergall
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden