Re: [Fed-Talk] CAC Setup on Intel MACs (additional step)
Re: [Fed-Talk] CAC Setup on Intel MACs (additional step)
- Subject: Re: [Fed-Talk] CAC Setup on Intel MACs (additional step)
- From: "Timothy J. Miller" <email@hidden>
- Date: Mon, 8 Oct 2007 11:01:09 -0500
On Oct 8, 2007, at 10:51 AM, Shawn A. Geddis wrote:
Allow me to further clarify my statement, since Tim's response
points out that it may easily be misunderstood by some.
Let me try this again:
From Apple's perspective, using the PKCS#11 abstraction layer has
repeatedly proved to be an inadequate abstraction for Smart Card
integration _On Mac OS X_. Starting with Mac OS X 10.4.0 and
later, PKCS#11 is no longer Apple's preferred or integrated
abstraction for Smart Cards. All installation, configuration and
management of PKCS#11 services are the responsibility of the end-
user. Be aware that in future versions of Mac OS X, PKCS#11
support may not ship on the product and may not be supported by
AppleCare.
Whereas, the integrated Smart Card Services (tokend) in Mac OS X
10.4.0 and later provided by Apple also includes out-of-box support
for US Federal Smart Cards meeting the CAC/GSC-IS specifications.
Built-in PIV support is coming with the release of 10.5 - "Leopard".
I'm not claiming that tokend doesn't represent the "Mac" way of doing
things, or even that it doesn't represent a better technical solution.
I *am* claiming that lack of a shipping PKCS#11 module will eliminate
OS X ports of UNIX applications that require it for smartcard
services. For example, any application that embeds NSS--of which
there are, I might add, FIPS certified versions--like Firefox or
Thunderbird will not be able to use smartcards on OS X.
*That* is the mistake.
In re: AppleCare support of PKCS#11--well, frankly, I'm not sure that
matters all that much. However, not having the module available--
that *does* matter.
-- Tim
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden