[Fed-Talk] RE: Incorporating Verisign Certs into Safari
[Fed-Talk] RE: Incorporating Verisign Certs into Safari
- Subject: [Fed-Talk] RE: Incorporating Verisign Certs into Safari
- From: "Gordon Bob Ctr AF/A3/5PEG" <email@hidden>
- Date: Mon, 15 Oct 2007 12:13:38 -0400
- Thread-topic: Incorporating Verisign Certs into Safari
Anyone have any info on how to do this. Verisign still has one of the worst customer support sites I have ever seen.
Any help would be appreciated.
Bob
--------------------------------------------------------
UNCLASSIFIED
//SIGNED//
Bob Gordon, Ctr
Systems Admin, AF A3/5PEG
Tel: (703) 693-0015 - Fax: (703) 693-2594
email@hidden
email@hidden
FOR OFFICIAL USE ONLY- Privacy Act of 1974"
Classification: UNCLASSIFIED
Caveats: NONE
-----Original Message-----
From: fed-talk-bounces+bob.gordon.ctr=email@hidden [mailto:fed-talk-bounces+bob.gordon.ctr=email@hidden] On Behalf Of email@hidden
Sent: Thursday, October 11, 2007 3:05 PM
To: email@hidden
Subject: Fed-talk Digest, Vol 4, Issue 242
Send Fed-talk mailing list submissions to
email@hidden
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.apple.com/mailman/listinfo/fed-talk
or, via email, send a message with subject or body 'help' to
email@hidden
You can reach the person managing the list at
email@hidden
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Fed-talk digest..."
Today's Topics:
1. GVExpo 2007 (David Hale)
2. Re: CAC Setup on Intel MACs (additional step) (Shawn A. Geddis)
3. Re: CAC Setup on Intel MACs (additional step) (Shawn A.Geddis)
----------------------------------------------------------------------
Message: 1
Date: Wed, 10 Oct 2007 17:29:51 -0400
From: David Hale <email@hidden>
Subject: [Fed-Talk] GVExpo 2007
To: email@hidden
Message-ID: <email@hidden>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Apple Inc. Invites You as Our Guest to Attend GVExpo 2007 with a
Complimentary Exhibit Hall Pass November 15-16 Washington DC
Convention Center
Apple is participating in the Government Video & Technology
Conference & Expo, the largest Video, AV, Broadcast, Multimedia,
Asset Management, Collaborative Conferencing, Digital Signage and
Technology event.
Plan to attend the Final Cut Server Presentation on Thursday,
November 15th from 1:00 - 1:45 pm. Luke Tristram, Apple's Senior
Product Manager for Final Cut Server will present an introduction to
Apple's new Final Cut Server asset management product covering: Basic
architecture, Key Features, Configuration & Installation, and
Workflow Examples.
While you're visiting GVExpo:
Visit MediaBeacon (Booth #340) to see MediaBeacon's Digital Asset
Management solution demonstrated on Macintosh hardware.
Visit Apple partners Chesapeake Systems and Macintosh Business
Solutions to see a variety of Apple solutions for the Government.
Sign up now and see you at the show.
Click Here for your Complimentary Exhibit Hall Pass http://
www.gvexpo.com/epromos/evite/gvexpovip.pdf
------------------------------
Message: 2
Date: Wed, 10 Oct 2007 18:41:26 -0400
From: "Shawn A. Geddis" <email@hidden>
Subject: Re: [Fed-Talk] CAC Setup on Intel MACs (additional step)
To: "Robert A. Gottlieb" <email@hidden>
Cc: Fed Talk <email@hidden>
Message-ID: <email@hidden>
Content-Type: text/plain; charset="utf-8"
On Oct 8, 2007, at 1:59 PM, Robert Gottlieb wrote:
> Shawn,
>
> If I want to be compatible with the new way going forward, what are
> the steps to get Firefox working? I can get Safari working no
> problem.
> In particular, when I try to load a ges portal page it gives me an
> error saying that there is a problem with my certificate database
> error -8174.
>
> In any case, I want to do whatever is most compatible with Leopard
> as that is what I will be running as soon as it is released.
>
> Thanks,
>
> Robert Gottlieb
> email@hidden
Robert,
As noted on other threads, Firefox is PKCS#11 based and is not
integrated with Mac OS X 10.4.0 and beyond. That said, there is
nothing you can do as a user, unfortunately, to configure FireFox to
leverage the built-in Smart Card Services.
I will try to keep the following simplified enough that most everyone
on this list will understand and convey some meaningful info...
One outstanding Issue faced with accessing some DoD services is that
two Certificates (ID & Email Signing) issued on the CAC have the same
Key Usage and are valid for those services (i.e. SSL/TLS and VPN).
The vast majority of servers within DoD are enforcing the use of the
"Email Signing Cert" for user Authentication. In an effort to provide
a "zero-config" like environment on Mac OS X, the OS will
automatically select the first *valid* Cert for the required usage (in
this case the ID Cert) and send that as part of the User
Authentication process. I am not personally aware of any DoD service
that utilizes the ID Cert in any form (I am sure someone has one up),
but they all seem to overload the use of the Email Signing Cert.
There are folks on this list that can explain in detail why that was
the chosen method within DoD.
Some Servers, unfortunately, do not fail the handshake at the protocol
level (i.e. SSL negotiation), but rather return an HTML Web page
indicating that the user needs to select the right certificate (this
is a Windows approach to solving this problem). If the service failed
at the protocol level, Mac OS X would notify Safari which would
acknowledge this to the user and present the user with an Identity
selection sheet -- showing all of the additional valid certificates to
choose from. This is where the user would be able to select an
alternative certificate. Once one is selected, an Identity Preference
is added to the user's Keychain and from that point on, the selected
identity is automatically used when negotiating access to that
particular URL.
When servers do not fail at the protocol level, it causes a catch-22
situation and the user is caught in the middle. The simplest and
arguably the best approach is to correct the servers, but most admins
will not change things on the server side since that is the scenario
which works for Windows clients. I have provided a "non-supported"
Identity Preference Setting Tool to allow users to set the Identity
Preference I spoke of earlier. With this, they are able to manually
setup an Identity Preference with the URL and selection of the desired
Certificate -- before attempting to connect to the server. I realize
some of you have been utilizing tools from others to "address this
issue". Use those tools at your own risk, since any approach other
than the creation of an appropriate Identity Preference stored in the
user's keychain may result in unexpected behavior. The ability to
create and manage Identity Preferences to address this catch-22
frustration with DoD services will be available in Keychain Access
(contextual menu item) coming in Leopard - Mac OS X 10.5.
The core difference to keep in mind here is that under Mac OS X, the
processing (parsing, validation, etc.) of X.509 credentials is done by
the OS where many agree that it should be and not enforced by
applications. Also, the setting of Key Usage on Certificates is
critical to proper handling within a PKI as you can see.
A point of Irony:
As of a year ago, staff coming out of DoD Schools were being issued a
CAC with ONLY an ID Cert. As such, they were unable to even login on
their Windows machines because it lacked an "Email Signing Cert" which
was required for login with a CAC under Windows. This is one time
when you would logically think that an ID Cert would be used.
- Shawn
_____________________________________________________
Shawn Geddis  Security Consulting Engineer  Apple Enterprise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3864 bytes
Desc: not available
Url : http://lists.apple.com/mailman/private/fed-talk/attachments/20071010/aee40dae/smime-0001.bin
------------------------------
Message: 3
Date: Wed, 10 Oct 2007 20:08:47 -0400
From: Shawn A.Geddis <email@hidden>
Subject: Re: [Fed-Talk] CAC Setup on Intel MACs (additional step)
To: Apple Fed Talk <email@hidden>
Message-ID: <email@hidden>
Content-Type: text/plain; charset="utf-8"
On Oct 10, 2007, at 12:21 PM, Paul Nelson wrote:
> on 10/10/07 9:16 AM, Shawn A. Geddis at email@hidden wrote:
>>
>>>> I would like to make a list of all the PKCS#11 apps. I think this
>>>> list is a good start:
>>>>
>>>> 1) Firefox and other Mozilla stuff
>>>> 2) Cisco VPN (at least it does NOT use the Keychain)
>>>> 3) Citrix client
>>>> 4) Acrobat 8 Pro
>>
>> Actually, neither #2 nor #3 should be on this list:
>> 2) Cisco VPN on Mac OS X - No PKCS#11 - Soft Certs ONLY and
>> internally
>> managed
>> 3) Citrix ICA Client - Uses pcsc calls to pcscd while manipulating
>> Keychain Locks
>
> You are correct on item #2 - it does not use PKCS#11, but doesn't
> use the
> Keychain either.
Correct. I stated -- "Soft Certs ONLY and internally managed". No
reference to Keychains.
> Same for #3.
Misunderstood what I wrote. They manipulate the Keychain Locks (for
Smart Cards).
> However, recent work shows that Citrix conflicts with the Keychain
> for both
> Apple and Citrix shipping software.
You need to test with a recent version from Citrix and build of OS X
10.4.11..(currently available to developers)
For those following this, let's keep things very clear here:
Third-Party Applications Abstraction Notes
------------------------------------------------- ------------------ ------------------------------------------------------------------------
1) FireFox/Thunderbird/Mozilla... PKCS#11 Also Maintains its own
internal Certificate Store
2) Cisco VPN Client -Internal- Only Maintains its own internal
Certificate Store
3) Citrix ICA Client pcsc Manipulates Keychain Locks to avoid
tokend conflicts
4) Acrobat 8 Pro PKCS#11 Also supports PKCS#12 (file-based storage)
5) MS Entourage Keychains Utilizes built-in Keychain Services
(Keychains : File-based & Smart Cards)
--------------------------
Apple Applications/Services supporting Smart Cards
-- Keep in mind that Apple is currently still the ONLY OS vendor
providing
Out-of-Box support for the US Federal Smart Cards
(10.4== CAC/GSC-IS 10.5== will add PIV)
-- Login Window (System Login - User Authentication)
-- System Preferences (If Locked and Requiring Admin/User
Authentication)
-- Screen Saver - Unlock (obviously related to System Login)
-- Mail (Mail) (S/MIME - Signing and Encrypting Mail)
-- Web (Safari) (HTTPS - Secure Web Access - Client Side
Authentication)
-- Remote Access (IC) (L2TP/IPSec, PPTP and 802.1X for Network Access
Control)
(SSL VPN Access (i.e. Juniper) is activated by using Safari)
Some important Smart Card features coming in Mac OS X 10.5 "Leopard"
-- PIV Support (Additional "PIV" tokend to support PIV cards out-of-
box)
-- Unlock of FileVault (Unlock FV enabled accounts using keys from
Smart Cards)
-- Unlock of Keychains (Unlock Keychains using keys from Smart Cards)
(Keychains can then also unlock other keychains)
-- Keychain - Plugin UI (Double-Click access to additional PIN
Protected data on Cards - demographics)
- Shawn
_____________________________________________________
Shawn Geddis  Security Consulting Engineer  Apple Enterprise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3864 bytes
Desc: not available
Url : http://lists.apple.com/mailman/private/fed-talk/attachments/20071010/c7b13607/smime-0001.bin
------------------------------
_______________________________________________
Fed-talk mailing list
email@hidden
http://lists.apple.com/mailman/listinfo/fed-talk
End of Fed-talk Digest, Vol 4, Issue 242
****************************************
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden