Re: [Fed-Talk] Apple Smart Card Setup Guide (was Disabling password login in favor of CAC)
Re: [Fed-Talk] Apple Smart Card Setup Guide (was Disabling password login in favor of CAC)
- Subject: Re: [Fed-Talk] Apple Smart Card Setup Guide (was Disabling password login in favor of CAC)
- From: "Timothy J. Miller" <email@hidden>
- Date: Tue, 29 Aug 2006 12:56:51 -0500
Paul Nelson wrote:
We are agreeing here. For proper authentication, the system must verify
that the user possesses the private key. Apple's CAC login does not do
this.
Yes it does:
Aug 29 12:01:11 hotplate
/System/Library/Security/tokend/AMSmartCard.tokend/Contents/MacOS/AMSmartCard:
CACKeyRecord::CACKeyRecord application: desc:Identity Private Key sign:1
Aug 29 12:01:11 hotplate
/System/Library/Security/tokend/AMSmartCard.tokend/Contents/MacOS/AMSmartCard:
CACKeyRecord::CACKeyRecord application: desc:Email Signing Private Key
sign:1
Aug 29 12:01:11 hotplate
/System/Library/Security/tokend/AMSmartCard.tokend/Contents/MacOS/AMSmartCard:
CACKeyRecord::CACKeyRecord application: desc:Email Encryption Private
Key sign:0
Aug 29 12:01:11 hotplate
/System/Library/Security/tokend/AMSmartCard.tokend/Contents/MacOS/AMSmartCard:
CACCertificateRecord::getDataAttribute
Aug 29 12:01:11 hotplate
/System/Library/Security/tokend/AMSmartCard.tokend/Contents/MacOS/AMSmartCard:
CACCertificateRecord::getDataAttribute
Aug 29 12:01:11 hotplate
/System/Library/Security/tokend/AMSmartCard.tokend/Contents/MacOS/AMSmartCard:
CACCertificateRecord::getDataAttribute
Aug 29 12:01:17 hotplate
/System/Library/Security/tokend/AMSmartCard.tokend/Contents/MacOS/AMSmartCard:
CACKeyRecord::getAcl mSignOnly 1
Aug 29 12:01:17 hotplate
/System/Library/Security/tokend/AMSmartCard.tokend/Contents/MacOS/AMSmartCard:
CACKeyRecord::getAcl mSignOnly 1
Aug 29 12:01:17 hotplate
/System/Library/Security/tokend/AMSmartCard.tokend/Contents/MacOS/AMSmartCard:
CACKeyRecord::computeCrypt sign:1 dataLength:128
Aug 29 12:01:17 hotplate
/System/Library/Security/tokend/AMSmartCard.tokend/Contents/MacOS/AMSmartCard:
exit CACKeyRecord::computeCrypt outputLength:128
The last two lines here is the challenge-response protocol that verifies
the private key.
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden