RE: [Fed-Talk] Using Digital Signature with CAC with Acrobat
RE: [Fed-Talk] Using Digital Signature with CAC with Acrobat
- Subject: RE: [Fed-Talk] Using Digital Signature with CAC with Acrobat
- From: "Charles Mae" <email@hidden>
- Date: Mon, 2 Jul 2007 12:22:54 -0700
- Thread-topic: [Fed-Talk] Using Digital Signature with CAC with Acrobat
The hard part is the testing part :)
I can test the PKCS #11 portion. Getting my reader this week and I'll be able to show that it works.
But to test with a CAC, I need a demo card with SSO (as it is currently setup with AD) which is much more difficult :)
>From Shawn's description, it only happens with CAC. You're fine using both the keychain and PKCS11 with other cards where the Mac OS won't try to own.
-----Original Message-----
From: Paul Nelson [mailto:email@hidden]
Sent: Monday, July 02, 2007 2:18 PM
To: Timothy J. Miller; Charles Mae
Cc: Apple Fed Talk
Subject: Re: [Fed-Talk] Using Digital Signature with CAC with Acrobat
I'm wondering why simple data signing is that complicated, that you can't
use both (to cover cards that don't have TokenD)?
You would just need to get the available cards via PKCS11, then the
Keychain, then remove duplicates.
Paul
on 7/2/07 1:53 PM, Timothy J. Miller at email@hidden wrote:
> On Jul 2, 2007, at 1:44 PM, charles mae wrote:
>
>> But, from my discussions with Shawn, the issue is with the CAC card
>> which is ³known² to the Mac OS and the drivers have already been
>> pre-loaded. The CAC is made to work specifically via tokend where
>> the OS takes ownership of the card and expects all apps to go via
>> the keychain and negate the use of the older PKCS #11 interface
>> which needs to be loaded from each apps.
>
> While Paul is right that it's not flawless, it works for the most
> part. :) I can demonstrate access to a CAC via PKCS#11 *and* tokend
> on the same system at the same time (though not, strictly speaking,
> simultaneously; pcscd serializes simultaneous requests).
>
>> We thought that we could just provide PKCS #11 support which works
>> with non Mac known readers where you would just load the drivers.
>
> I just mailed you off-list but I'll repeat it here: IMHO PKCS#11 is
> nice (if it would work; Reader doesn't successfully load the module)
> but Keychain would be better. Keychain API would get you access to
> user-held software certificates from the login (or other) keychains,
> which PKCS#11 can't touch. In addition, Keychain will be more
> flexible with non-PKCS#11 crypto tokens (assuming a tokend is
> installed, natch).
>
> -- Tim
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden