Re: [Fed-Talk] Apple Smart Card Setup Guide (was Disabling password login in favor of CAC)
Re: [Fed-Talk] Apple Smart Card Setup Guide (was Disabling password login in favor of CAC)
- Subject: Re: [Fed-Talk] Apple Smart Card Setup Guide (was Disabling password login in favor of CAC)
- From: "Timothy J. Miller" <email@hidden>
- Date: Tue, 29 Aug 2006 10:55:11 -0500
Timothy J. Miller wrote:
Paul Nelson wrote:
I've tested to make sure no DoD certs were trusted (or even
installed) on a Mac, and login was still allowed using a CAC. If trust
checks were enforced, it would be much more difficult to spoof a user,
since
the spoofed certificate would have to have been generated by a
certificate
authority trusted by the Mac.
My last testing on this contradicts yours. I specifically tested
certificate chaining and observed it working correctly; if the
authorities were not installed in X509Anchors & X509Certificates, users
could not authenticate.
I'll retest when I get some free time.
Can't let things like this go. I made time.
Chaining is not performed. This is a serious problem and I'll be
exercising my POCs this afternoon. The 10.4.8 seed is starting soon, IIRC.
There is a workaround: use the pubkey hash instead. With the private
key challenge this can't be spoofed. You will have to ensure:
1) pubkey hash is added to an account only with a face-to-face
verification of the user.
2) The OpenDirectory store where the account resides (local Netinfo for
most of you) is secure.
3) The pubkey hash is not modified except when the user gets a new card
or key.
4) Modification is only done with a face-to-face verification of the user.
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden