Re: [Fed-Talk] SmartCard Login
Re: [Fed-Talk] SmartCard Login
- Subject: Re: [Fed-Talk] SmartCard Login
- From: "Timothy J. Miller" <email@hidden>
- Date: Mon, 27 Feb 2006 12:18:58 -0600
Paul Nelson wrote:
I believe that MIT is planning on implementing PKINIT from the new standard.
This is going to be a major change and will include a number of other
enhancements (support for different encryption methods, server error
encoding for example). From what I see in the Apple code, MIT might be able
to use the stuff written to handle security/keychain API. I think the
encoding for as_req may need to be re-written due to the fact that it will
support the newer spec, and not just the Microsoft compatibility.
FWIW, the MS security lead PM tells me I can say that the next version
of MS will be built on draft-34. Since draft-34 went into the editor
queue round about Thursday of last week, this should make life easier
for everyone.
Now all that's really needed is for someone to pony up some funds and/or
code and get the implementation done. Apple is well positioned to do
either of these.
The problem is, from Apple's side, that the business case is slim; the
primary user of PKINIT in the world will be the DoD (followed by the
rest of the fed) for the near term, and the DoD Mac market is not large.
A third party can play in this space too, of course. Paul's company
would be the one I'd turn to for an implementation. But I'll warrant
that he has the same business case issues Apple does.
But what everyone needs to keep in mind is this: the longer this
finger-pointing and indecisiveness goes on, the smaller the fed Mac
market becomes. As JTF-GNO CTO 06-02 and its successors come into
force, the lack of PKINIT support alone will push Macs out of DoD
service over the next 18 months. HSPD-12 implementation will do the
same for the rest of the fed over the next 2-3 years. The only
remaining fed market will be scattered lab environments.
And I don't think that would be doing any of us any good.
So let me state this as clearly as possible: In my opinion, PKINIT
support is the *single most important feature* that the fed market needs
on the OS X platform. Nothing else really matters. While native
support is preferred, add-on support would be workable. If someone
can't get moving in that direction, and soon, I (and others like me) am
going to have to start recommending *against* Apple when options are
discussed.
That's not a threat, so please don't take it that way. But it is a reality.
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden