Re: [Fed-Talk] Problems with Keychain/AF WebMail/CAC Or the endless trials of getting Macs to work with Smartcards
Re: [Fed-Talk] Problems with Keychain/AF WebMail/CAC Or the endless trials of getting Macs to work with Smartcards
- Subject: Re: [Fed-Talk] Problems with Keychain/AF WebMail/CAC Or the endless trials of getting Macs to work with Smartcards
- From: Boyd Fletcher <email@hidden>
- Date: Thu, 31 May 2007 22:12:19 -0400
- Thread-topic: [Fed-Talk] Problems with Keychain/AF WebMail/CAC Or the endless trials of getting Macs to work with Smartcards
I left one item off the list. the lack of hardware encrypted hard disks in
Macs. Stolen laptops are a huge problem. If apple doesn't support hardware
encrypted disks soon they will risk loosing all the DOD laptop sales.
other comments below.
On 5/31/07 9:46 AM, "Timothy J. Miller" <email@hidden> wrote:
> On May 31, 2007, at 2:12 AM, Boyd Fletcher wrote:
>
>> Over last year, I have noticed a disturbing trend on Apple Fed-
>> Talk. The
>> single biggest issue (by far) that Federal Users have with Apple is
>> the poor
>> state of CAC/Smartcard support in Apple software and Hardware.
>
> I'd take issue with this statement. Compared to, say, Solaris or
> Windows, OS X has outstanding DoD PKI support out of the box. No
> additional software or configuration is required; you plug in a
> supported reader, insert the CAC, and go.
I obviously disagree. Though Apple has made great strides some of the
assumptions it has made just much strife for Apple users.
>
>> - how many folks on this list have either Dave's CAC switch
>> program or
>> some other hack to get their CAC to work? I do. Everyone I know
>> personally
>> in DOD has one installed. This should be telling Apple something,
>> humm.....
>
> This issue re: cert selection *only* arises with OWA. FYI, OWA
> support for smartcard logon is a *major* hack, and it took a good
> year of wrangling to get it working on the server-side--*including*
> new products and specific code changes from Microsoft. And since the
> AF uses LEAP for SCL configuration support, and correct use of this
> tool eliminates the symptom, there really isn't a problem.
its not just OWA. Other sites in DOD have problems (particularly ones that
use the email cert vs. the identity cert usually because the site uses OWA.
>
> I think Apple's stance on the point is the best one to take. Why?
> Because when MS gets its act straight in a later version of OWA,
> Safari as currently implemented *will continue to work correctly*;
> whereas by changing Safari or the Trust Services API to match
> Microsoft's bugs, Apple would be putting itself in a position where
> they're hung out to dry when MS finally gets around to fixing things.
>
>> 2) work with Microsoft Entourage (dig sign, encrypted, and https/
>> webdav
>> access for OWA) and Mozilla FireFox/Thunderbird folks to make sure
>> their
>> apps fully and transparently support CAC/SC.
>>
>> - Entourage doesn't work with a CAC enabled OWA site
>> - FF still crashes frequently on many users computers when
>> trying to
>> access the CAC/SC
>
> I fail to see how *third party lack of support* for CAC on OS X is
> Apple's fault or responsibility. OS X's security APIs are well-
> documented and publicly available. Microsoft's failure to correctly
> use Keychain or the MS MBU's failure to keep pace with the Exchange
> team are Microsoft's problems, and the Mozilla Foundation has other
> goals (namely, minimization of cross-platform differences)--though
> the crash bug regression in FF 2.0.0.3 is inexcusable, IMHO.
>
I didn't say it was their fault, but was trying to drive home the point that
the two of the most used applications on Macs don't fully support Apple
Smartcard implementation. Hopefully can work with these vendors to resolve
the problem.
>
>> 4) Every single top 7 computer laptop vendor EXCEPT Apple have
>> laptops with
>> integrated smartcard readers. Why can't apple get with the program?
>> I and
>> many many others are getting really tired of lugging a SCR-331
>> around with
>> them just so they can login to their MBPs.
>
> Apple's selection of Expresscard/34 vs. Expresscard/54 for the
> Macbook Pro was certainly disappointing. (There are Expresscard/54
> smartcard readers, but the /34 slot is too narrow.)
>
I was pretty disappointed as well. Hopefully Apple will see the light and
add either EC/54 support or better yet add a smartcard reader to there
machines.
>> 3) Enterprise customers don't like surprises. They want to know
>> where their
>> technology provider is going to be in 6, 12, 18, 24, 36 months...
>> Government
>> moves slowly and and frequently has long lead times on equipment
>> purchases,
>> long and complicated testing/qualification events for new s/w & h/
>> w, and
>> even longer life cycle replacement periods (for example ships cycle
>> out
>> equipment every 3-5 YEARS!).
>
> Apple's culture of secrecy certainly is an impediment in the Federal
> space. I've had long discussions with Shawn (and any other Apple rep
> who'll sit still for it) on more than one occasion. However, this
> will only change from the top down (i.e., they need to stop firing
> people who reveal product details in advance of launch), but IMHO
> Stevie-boy likes that "wow, cool" moment *way* too much to allow that
> to change. :)
>
unfortunately I agree with your conclusion. I certainly see the "wow" value
for consumer products but for business & pro systems its simply not needed
or is usually counter-productive.
> -- Tim
>
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden