Re: [Fed-Talk] Re: CAC reader and software HELP
Re: [Fed-Talk] Re: CAC reader and software HELP
- Subject: Re: [Fed-Talk] Re: CAC reader and software HELP
- From: "Timothy J. Miller" <email@hidden>
- Date: Fri, 27 Apr 2007 16:55:08 -0500
Shawn A. Geddis wrote:
> You will need to use Appleās Keychain Access to install your CAC
certs and any newer DoD certs that > you may have.
I have never been able to determine the origin of this myth to stop it
altogether, but it has since even made it into shared documentation of
what to do. This is insane. Certificates/Keys on a Smart Card are just
that -- ON a Smart Card. There was never any reason for a user to ever
copy certificates from a Smart Card.
The confusion arises from MS Windows' behavior, where the user's cert
store is erroneously viewed by many as "equivalent" to Apple's Keychain.
On Windows, you *must* copy certs into the user's cert store or CAPI
won't be able to find them even when the card is inserted. With older
smartcard middleware this was a manual operation, but newer middleware
does it for you at card insertion.
BTW, this also leads to pollution of the key store and user confusion if
you ever stick a smartcard you don't own into the reader when you're
logged in, or fail to delete old certs when a smartcard is revoked or
reissued. This is because CAPI isn't capable of distinguishing between
"certs I can use because the private key is on a card in the reader" and
"certs I can't use because the card isn't in the reader." *All* certs
copied to the cert store are seen as "available" by the system, and you
will be allowed to select them when prompted for cert selection during,
say, website authentication.
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden