Re: More CAC issues [was- [Fed-Talk] PKINIT and Kerberos
Re: More CAC issues [was- [Fed-Talk] PKINIT and Kerberos
- Subject: Re: More CAC issues [was- [Fed-Talk] PKINIT and Kerberos
- From: George Polich <email@hidden>
- Date: Tue, 15 Nov 2005 14:27:15 -0500
- Thread-topic: More CAC issues [was- [Fed-Talk] PKINIT and Kerberos
It has come and gone. It showed that it works -- mostly. But still required
3rd party software as I understand [Admit Mac or something like it].
And that proves my original point. A sympathetic local DOIM might allow a
"pilot", but that is decidedly not, a _systems_ solution. NAE (to which I
also belong) has not allowed, and may never allow, joining because they
won't unless NETCOM tells them it is "OK"; NAE (or its subordinates) will
not OK unilaterally.
Monmouth goes away under BRAC so it does the Army no service and the users
there are unlikely to be able to use their machines at their new post.
Transportability throughout the Army (and dare I say DoD) -- a systems
solution -- should, but does not, exist. Ad hoc is not the answer.
~~
gP
On 15/11/2005 14:04, "Ide, Douglas Mr USACFSC" <email@hidden>
wrote:
> It seems that while Macs are indeed officially locked out of joining AD
> (at
> least the Northeast AD domain), I've heard there is a pilot underway at
> PEO,
> Fort Monmouth, N.J., that includes a couple of hundred Macs hooking into
> Northeast AD. The pilot is slated to last 120 days, but I can't tell you
> when it started, or even if it has started.
>
> FWIW,
>
> Doug
>
> Douglas Ide
> U.S. Army CFSC Public Affairs
> 703-681-1548
> email@hidden
> www.armymwr.com
> -----Original Message-----
> From: George Polich [mailto:email@hidden]
> Sent: Tuesday, November 15, 2005 1:44 PM
> To: email@hidden
> Subject: More CAC issues [was- [Fed-Talk] PKINIT and Kerberos
>
> Along the lines of those same questions is an upcoming (beginning Jan.)
> Army
> issue that would end Army use and sales of Macs.
>
> Not later than end of 2nd Qtr '06 the Army will fully implement
> "Two-Factor
> Network Authentication for User Accounts." Supposedly driven by HS
> Presidential Directive-12 on common ID standard. In short: CAC and CAC
> PIN
> (the two factors) will be required to login to anything Army using
> "cryptographic capability of MS Active Directory."
>
> Since Macs are not yet (and from my foxhole seems likely may never be,)
> allowed to "join" the AD, this requirement appears to effectively lock
> the
> Apple product from any use on an Army network. Without useful network
> connectivity and capability, the Mac line is a nice form, but simply not
> functional.
>
> The local DOIMS have been told to implement, and that they will. No
> amount
> of "user requests, user support" from Mac users will persuade them to
> work
> around the "higher headquarters" directives. So previous comments from
> the
> Apple representatives that we make our desires known will have no
> weight. If
> NETCOM or CIO/G-6 provides guidance (or better, directive) from "above"
> that
> Macs can join AD, then the locals will allow or comply. Rightly or
> wrongly
> the local DOIMS see themselves as implementers and network defenders,
> but
> never as advocators.
>
> That means some immediate and active involvement from the Apple Federal
> office is needed. If not, Army sales are history unless offices want to
> go
> "sneaker net" for any and all work product -- I don't think offices will
> be
> doing that: its inefficient and unproductive. And I, as well as many
> others,
> do not have either time or money to waste on something not useful in a
> collaborative environment. Stand alone functionality, regardless of how
> great, is irrelevant.
> ~~
> George Polich
> Deputy Director
> Army Public Affairs Center, HQDA
> 301.677.7172
>
>
>
> On 15/11/2005 11:35, "Nebergall, Christopher" <email@hidden>
> wrote:
>
>> As the PKINIT draft is nearing become a standard
>>
> <http://tools.ietf.org/wg/krb-wg/draft-ietf-cat-kerberos-pk-init/draft-i
>> etf-cat-kerberos-pk-init-29.txt>
>>
> http://tools.ietf.org/wg/krb-wg/draft-ietf-cat-kerberos-pk-init/draft-ie
>> tf-cat-kerberos-pk-init-29.txt I had some questions on Apple's
> support
>> of the standard.
>>
>> 1. Does apple currently have any support for PKINIT?
>> 2. Is any support planned?
>> 3. If Macs do/start to support PKINIT will support of the protocol be
>> rolled back into normal MIT Kerberos sources?
>>
>> Without support for Kerberos, Smart Cards on Macs are largely not
> useful
>> to my site to do anything but access the box itself. If any one has
>> had any luck or ideas on how to use smart cards on a Mac to access a
>> wide variety of resources external to the box itself (i.e. Network
> file
>> systems, SSH, web pages) I'd appreciate some tips.
>>
>> Thanks,
>> Christopher Nebergall
>>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
> mil
>
> This email sent to email@hidden
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
> mil
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden