Re: [Fed-Talk] CAC Setup on Intel MACs (additional step)
Re: [Fed-Talk] CAC Setup on Intel MACs (additional step)
- Subject: Re: [Fed-Talk] CAC Setup on Intel MACs (additional step)
- From: Shawn A.Geddis <email@hidden>
- Date: Wed, 10 Oct 2007 20:08:47 -0400
On Oct 10, 2007, at 12:21 PM, Paul Nelson wrote:
on 10/10/07 9:16 AM, Shawn A. Geddis at email@hidden wrote:
I would like to make a list of all the PKCS#11 apps. I think this
list is a good start:
1) Firefox and other Mozilla stuff
2) Cisco VPN (at least it does NOT use the Keychain)
3) Citrix client
4) Acrobat 8 Pro
Actually, neither #2 nor #3 should be on this list:
2) Cisco VPN on Mac OS X - No PKCS#11 - Soft Certs ONLY and
internally
managed
3) Citrix ICA Client - Uses pcsc calls to pcscd while manipulating
Keychain Locks
You are correct on item #2 - it does not use PKCS#11, but doesn't
use the
Keychain either.
Correct. I stated -- "Soft Certs ONLY and internally managed". No
reference to Keychains.
Same for #3.
Misunderstood what I wrote. They manipulate the Keychain Locks (for
Smart Cards).
However, recent work shows that Citrix conflicts with the Keychain
for both
Apple and Citrix shipping software.
You need to test with a recent version from Citrix and build of OS X
10.4.11..(currently available to developers)
For those following this, let's keep things very clear here:
Third-Party Applications Abstraction Notes
------------------------------------------------- ------------------ ------------------------------------------------------------------------
1) FireFox/Thunderbird/Mozilla... PKCS#11 Also Maintains its own
internal Certificate Store
2) Cisco VPN Client -Internal- Only Maintains its own internal
Certificate Store
3) Citrix ICA Client pcsc Manipulates Keychain Locks to avoid
tokend conflicts
4) Acrobat 8 Pro PKCS#11 Also supports PKCS#12 (file-based storage)
5) MS Entourage Keychains Utilizes built-in Keychain Services
(Keychains : File-based & Smart Cards)
--------------------------
Apple Applications/Services supporting Smart Cards
-- Keep in mind that Apple is currently still the ONLY OS vendor
providing
Out-of-Box support for the US Federal Smart Cards
(10.4== CAC/GSC-IS 10.5== will add PIV)
-- Login Window (System Login - User Authentication)
-- System Preferences (If Locked and Requiring Admin/User
Authentication)
-- Screen Saver - Unlock (obviously related to System Login)
-- Mail (Mail) (S/MIME - Signing and Encrypting Mail)
-- Web (Safari) (HTTPS - Secure Web Access - Client Side
Authentication)
-- Remote Access (IC) (L2TP/IPSec, PPTP and 802.1X for Network Access
Control)
(SSL VPN Access (i.e. Juniper) is activated by using Safari)
Some important Smart Card features coming in Mac OS X 10.5 "Leopard"
-- PIV Support (Additional "PIV" tokend to support PIV cards out-of-
box)
-- Unlock of FileVault (Unlock FV enabled accounts using keys from
Smart Cards)
-- Unlock of Keychains (Unlock Keychains using keys from Smart Cards)
(Keychains can then also unlock other keychains)
-- Keychain - Plugin UI (Double-Click access to additional PIN
Protected data on Cards - demographics)
- Shawn
_____________________________________________________
Shawn Geddis Security Consulting Engineer Apple Enterprise
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden