[Fed-Talk] Firefox & CAC on a Mac
[Fed-Talk] Firefox & CAC on a Mac
- Subject: [Fed-Talk] Firefox & CAC on a Mac
- From: "Sullivan, Matthew Mr RDECOM CERDEC NVESD" <email@hidden>
- Date: Thu, 17 Aug 2006 08:02:52 -0400
Is anyone out there using their CAC to login to AKO with the Firefox
browser?
Matthew R. Sullivan
NVESD - Web Developer
US Army RDECOM, CERDEC
-----Original Message-----
From: email@hidden
[mailto:email@hidden]
Sent: Wednesday, August 16, 2006 3:02 PM
To: email@hidden
Subject: Fed-talk Digest, Vol 3, Issue 216
Send Fed-talk mailing list submissions to
email@hidden
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.apple.com/mailman/listinfo/fed-talk
or, via email, send a message with subject or body 'help' to
email@hidden
You can reach the person managing the list at
email@hidden
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Fed-talk digest..."
Today's Topics:
1. Changes in Boot Camp 1.1 beta (Dave Hale)
2. New Email Requirement (John Niles)
3. Re: New Email Requirement (Timothy J. Miller)
4. Re: New Email Requirement (Paul Nelson)
5. Re: New Email Requirement (Paul Nelson)
6. RE: New Email Requirement (UNCLASSIFIED) (Halpin, Stanley Dr ARI)
7. Re: New Email Requirement (UNCLASSIFIED) (Timothy J. Miller)
----------------------------------------------------------------------
Message: 1
Date: Tue, 15 Aug 2006 23:43:35 -0400
From: Dave Hale <email@hidden>
Subject: [Fed-Talk] Changes in Boot Camp 1.1 beta
To: email@hidden
Message-ID: <email@hidden>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
http://www.apple.com/macosx/bootcamp/
Changes in Boot Camp 1.1 beta
Boot Camp 1.1 beta contains many updates and is intended for all new
and previous Boot Camp beta users.
Boot Camp 1.1 beta includes:
Support for the latest Intel-based Macintosh computers
Easier partitioning using presets for popular sizes
Ability to install Windows XP on any internal disk
iSight camera support
Support for built-in microphones
Right-click when pressing the right-hand Apple key on Apple keyboards
Improved Apple keyboard support including Delete, PrintScreen,
NumLock, and ScrollLock keys
------------------------------
Message: 2
Date: Wed, 16 Aug 2006 08:39:42 -0400
From: John Niles <email@hidden>
Subject: [Fed-Talk] New Email Requirement
To: email@hidden
Message-ID: <email@hidden>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Troops,
About 18 months ago, this location transitioned to Active Domain.
Since we are a part of the NAE, Macs are excluded from email and some
other services. As a work around for most of my requirements, I have
been using our webmail access for most of my internal mail (clunky,
but doable). I also depend upon webmail when on the road. Note that
local messages sent to my AKO are blocked locally and redirected to
my local address. Now a new requirement has been announced to make
webmail CAC compliant using a CAC reader and Tumbleweed software.
Since Mac Mail handles CAC requirements well, the question is will
Tumbleweed accept Mac Mail as a legitimate client. Does anyone have
any experience with this type of setup?
John Niles
------------------------------
Message: 3
Date: Wed, 16 Aug 2006 09:09:10 -0500
From: "Timothy J. Miller" <email@hidden>
Subject: Re: [Fed-Talk] New Email Requirement
To: John Niles <email@hidden>
Cc: email@hidden
Message-ID: <email@hidden>
Content-Type: text/plain; charset="iso-8859-1"
John Niles wrote:
> Now a new requirement has been announced to make webmail CAC
> compliant using a CAC reader and Tumbleweed software. Since Mac Mail
> handles CAC requirements well, the question is will Tumbleweed accept
> Mac Mail as a legitimate client. Does anyone have any experience with
> this type of setup?
The Tumbleweed client is only for revocation status checking at your
end. This lets the client use online certificate status protocol (OCSP)
for certificate revocation checking (in your case, the webmail server's
certificate). Tumbleweed Desktop Validator only runs on Windows.
Now, OS X from Jaguar (I think) onwards supports OCSP, but it doesn't
work with the existing constraints of the DoD PKI. Most importantly, OS
X OCSP support relies on the OCSP service URL being in the certificate
itself (in the authorityInformationAccess extension) which the DoD PKI
didn't start using until *very* recently. It also doesn't obey the
system proxy settings (despite the fact that OCSP uses HTTP as its
transport). I'm also not certain if OS X OCSP supports the trust model
the DoD PKI is using for OCSP, but given the first two problems this
becomes 1) difficult for me to test, and 2) irrelevant anyway. :/
I'm hoping these are going to be (finally) addressed in Leopard, but
I've not gotten my hands on a seed yet. Hint hint, Shawn.
On the plus side, the DoD PKI doesn't revoke web server certs very
often. If you look, the CRLs for the CAs that issue device
certificates--CAs 7, 8, 13, and 14--are the smallest. Almost tiny, in
fact. So not being able to get OCSP status for your webmail server's
certificate isn't the end of the world.
That all being said, you *can* do CAC authentication to websites using
OS X and either Firefox, Mozilla or Safari (but not Camino and I don't
know about Opera). There's lots of good instructions on this posted to
this list you'll find in the archives on getting the CAC working right
with all these browsers. Insofar as the webmail server is concerned, so
long as you authenticate with the right certificate it can't tell the
difference between browsers and OSes. And if it does, you can fake it
by mucking with your browser's User-Agent string.
That's webmail in general. Now let's talk OWA.
OWA 2003 has additional support for signed and encrypted email. Of
course, MS built this using an Active X control that will do S/MIME
operations. Obviously this won't work on OS X (which is, in the final
analysis, a Good Thing(tm); there are too many Active X
vulnerabilities). So if you're using OWA, you *should* be able to
access it with CAC authentication but you *won't* be able to send signed
or encrypted email, or read encrypted email. You *may* be able to read
signed email, but it depends on how the client signed it; clear signed
email you should be able to read, but opaque signed email will appear as
an attachment. It's possible to decode this attachment using OpenSSL
command-line tools, but you might not want to get into that...
-- Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2859 bytes
Desc: S/MIME Cryptographic Signature
Url :
http://lists.apple.com/mailman/private/fed-talk/attachments/20060816/76edd71
f/smime-0001.bin
------------------------------
Message: 4
Date: Wed, 16 Aug 2006 10:59:54 -0500
From: Paul Nelson <email@hidden>
Subject: Re: [Fed-Talk] New Email Requirement
To: John Niles <email@hidden>, <email@hidden>
Message-ID: <C108AB2A.4DF4B%email@hidden>
Content-Type: text/plain; charset="US-ASCII"
I haven't figured this out for the typical Army installation, but here is
what I know:
If you have Outlook Web Access hosted on a Windows 2000 or 2003 server (I
believe you do), then Safari will be able to connect and authenticate using
Kerberos.
I've been testing this with ADmitMac for CAC. I can use a CAC to log in and
get Kerberos credentials, then use Safari to connect to OWA without getting
prompted for a password. This gives some limited capability. I don't see
any way to send signed or encrypted e-mail though.
I don't know about Tumbleweed's MailGate stuff (I assume that is what you
are talking about), but I think MailGate fits between the Internet and
e-mail servers. I don't think it gets involved with http connections, so it
should not affect using OWA.
Paul Nelson
Thursby Software Systems, Inc.
on 8/16/06 7:39 AM, John Niles at email@hidden wrote:
> CAC compliant using a CAC reader and Tumbleweed software.
> Since Mac Mail handles CAC requirements well, the question is will
> Tumbleweed accept Mac Mail as a legitimate client. Does anyone have
> any experience with this type of setup
------------------------------
Message: 5
Date: Wed, 16 Aug 2006 11:20:44 -0500
From: Paul Nelson <email@hidden>
Subject: Re: [Fed-Talk] New Email Requirement
To: "Timothy J. Miller" <email@hidden>, John Niles
<email@hidden>
Cc: Apple Fed Talk <email@hidden>
Message-ID: <C108B00C.4DF54%email@hidden>
Content-Type: text/plain; charset="US-ASCII"
>From talks with Apple, they don't have plans to implement the same kind of
OCSP that Tumbleweed does on client desktop systems.
I did talk with a number of Apple's engineers at WWDC, and explained why
this is important for the military. They were receptive, so we might see
something in the future. There is an API for using an OCSP responder in
Tiger, but it is private, and does not work properly.
on 8/16/06 9:09 AM, Timothy J. Miller at email@hidden wrote:
> Now, OS X from Jaguar (I think) onwards supports OCSP, but it doesn't
> work with the existing constraints of the DoD PKI. Most importantly, OS
> X OCSP support relies on the OCSP service URL being in the certificate
> itself (in the authorityInformationAccess extension) which the DoD PKI
> didn't start using until *very* recently. It also doesn't obey the
> system proxy settings (despite the fact that OCSP uses HTTP as its
> transport). I'm also not certain if OS X OCSP supports the trust model
> the DoD PKI is using for OCSP, but given the first two problems this
> becomes 1) difficult for me to test, and 2) irrelevant anyway. :/
>
> I'm hoping these are going to be (finally) addressed in Leopard, but
> I've not gotten my hands on a seed yet. Hint hint, Shawn.
------------------------------
Message: 6
Date: Wed, 16 Aug 2006 12:02:03 -0500
From: "Halpin, Stanley Dr ARI" <email@hidden>
Subject: RE: [Fed-Talk] New Email Requirement (UNCLASSIFIED)
To: email@hidden
Message-ID:
<email@hidden
l>
Content-Type: text/plain
Classification: UNCLASSIFIED
Caveats: NONE
At least within my installation, OWA is gone, turned off. The only access to
our local mailbox is via the local net from a machine with CAC-reader
attached, or via VPN. My work-around has been to use a Dell laptop as my
email machine.
Has anyone been successful in using VPN from a Mac into an Army system? I
know that there is VPN option available under network preferences (?) but
haven't a clue what to do or whether Apple's flavor of VPN would be
acceptable to our network managers.
Stan
-----Original Message-----
From: fed-talk-bounces+stan.halpin=email@hidden
[mailto:fed-talk-bounces+stan.halpin=email@hidden] On Behalf
Of Paul Nelson
Sent: Wednesday, August 16, 2006 11:00 AM
To: John Niles; email@hidden
Subject: Re: [Fed-Talk] New Email Requirement
I haven't figured this out for the typical Army installation, but here is
what I know:
If you have Outlook Web Access hosted on a Windows 2000 or 2003 server (I
believe you do), then Safari will be able to connect and authenticate using
Kerberos.
I've been testing this with ADmitMac for CAC. I can use a CAC to log in and
get Kerberos credentials, then use Safari to connect to OWA without getting
prompted for a password. This gives some limited capability. I don't see
any way to send signed or encrypted e-mail though.
I don't know about Tumbleweed's MailGate stuff (I assume that is what you
are talking about), but I think MailGate fits between the Internet and
e-mail servers. I don't think it gets involved with http connections, so it
should not affect using OWA.
Paul Nelson
Thursby Software Systems, Inc.
on 8/16/06 7:39 AM, John Niles at email@hidden wrote:
> CAC compliant using a CAC reader and Tumbleweed software.
> Since Mac Mail handles CAC requirements well, the question is will
> Tumbleweed accept Mac Mail as a legitimate client. Does anyone have
> any experience with this type of setup
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Classification: UNCLASSIFIED
Caveats: NONE
------------------------------
Message: 7
Date: Wed, 16 Aug 2006 13:48:42 -0500
From: "Timothy J. Miller" <email@hidden>
Subject: Re: [Fed-Talk] New Email Requirement (UNCLASSIFIED)
To: "Halpin, Stanley Dr ARI" <email@hidden>
Cc: email@hidden
Message-ID: <email@hidden>
Content-Type: text/plain; charset="iso-8859-1"
Halpin, Stanley Dr ARI wrote:
> Has anyone been successful in using VPN from a Mac into an Army system? I
> know that there is VPN option available under network preferences (?) but
> haven't a clue what to do or whether Apple's flavor of VPN would be
> acceptable to our network managers.
It depends on the VPN protocol. If they're using IPSec/XAUTH (which is
what the Cisco VPN client does) then no; the Mac Cisco VPN client is
crap, and hooks into neither the keychain nor the PKCS#11 module
provided, so it can't talk to the CAC.
If they're doing L2TP/IPSec (which is what the built-in Windows and Mac
VPN clients use), it *can* be made to work, but there are a couple of
little details that are needed.
If they're doing something else, I have no idea. :)
FWIW, I'll hazard a guess that they're using the Cisco VPN client with
the CAC. If this is so, they *must* be using the ASA5500 *and* version
7.2 or better *and* configure OCSP *and* configure the VPN to refuse
access if OCSP responses are unavailable.
-- Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2859 bytes
Desc: S/MIME Cryptographic Signature
Url :
http://lists.apple.com/mailman/private/fed-talk/attachments/20060816/8ae01f2
7/smime-0001.bin
------------------------------
_______________________________________________
Fed-talk mailing list
email@hidden
http://lists.apple.com/mailman/listinfo/fed-talk
End of Fed-talk Digest, Vol 3, Issue 216
****************************************
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden