On Feb 14, 2008, at 2:34 PM, John Dasher wrote:
Can you comment on when Apple is going to support the industry standard PKCS#11 in its applications? First, I thank John for asking the question that many new list members have probably been asking themselves and wanting to get an answer to. We have discussed this in the past a bit, so you will find some threads in the List's Archive. I did feel time and a significant growth in membership on this list necessitates an update to that information.
The following is a longer answer to the original question, but meant to be enlightening for all.
Apple began providing the PKCS#11 libraries and even relied on them starting back in the 10.2.3-10.2.8 days as a separate package. Some on this list might remember that there *was* a "Federal Smart Card Package" released for 10.2.8 which was built on PKCS#11. The same package was then rolled into the base OS Install of 10.3.0 and continued to provide the same PKCS#11 library and Smart Card Login at that time relied on it. It became quite apparent to Apple in the 10.3.x days that PKCS#11, however familiar to many developers and users, was not going to be a solution that provided the high level of Apple Integration within Mac OS X. With technology and over time, you must continually assess and re-assess if the widely used solutions are actually helping to solve the real world problems or just providing a playground for engineers to keep developing similar code. Apple needed a better abstraction which factored out all of the common code/services and reduced it to the smallest of elements -- Card Edge -- communication with the OS / Java Applet on the Smart Card itself.
PKCS#11 is indeed a well known abstraction layer for Smart Cards that has long been used on various platforms and previously been used on Mac OS X 10.2.3-10.3.9. With it comes limitations and complexities that may work in other platforms and for other users, but Mac OS X users expect more than that. Several customers still use PKCS#11 on Mac OS X (ie. FireFox) and probably always will, but it has no integration into Apple's security architecture on Mac OS X 10.4 and 10.5.
Building on the established strengths of CDSA, Apple architected Smart Card Services in Mac OS X 10.4 to rely on the necessary, lower-level standards of pcsc and CCID, while seamlessly integrating Smart Cards into the Security APIs and available to the system / user as a Dynamic Keychain.
This architecture requires an OS X specific module "tokend" be developed for each Card OS / Applet available. The good thing is that this module requires very little code for a developer to write yet have full integration, secure access and all UI handled by the OS. I have frequently shared the real world case of "the one day development". A Smart Card engineer with a major Smart Card vendor (who was very new to Mac OS X) developed a tokend within one day with some guidance from an Apple Engineer. That means that he provided full use of his proprietary smart card across Mac OS X (Login, SysAdmin, Screen Saver, VPN [L2TP/PPTP], 802.1X, S/MIME, HTTPS) in one day without ever developing for Applications or doing any UI development. They won a contract with a very large customer while a competitor chose not to look at OS X / tokend and lost the account. Folks familiar with Smart Card development and integration consider that to be incredible ROI. When are SmartCard vendors going to include standard tokend/Keychain support in their drivers, so all the Mac OS X applications "just work" instead of always coming out with their kludgy Firefox/Thunderbird-only PKCS#11 software?
Once again I would like to publicly praise the efforts of the MS MacBU Team here. Office 2004 was released with S/MIME support and integration with Keychains. When it was installed on systems once Mac OS X 10.4 was released (April 29, 2005), Entourage got full access to the Smart Cards - as a Keychain - without the application having to deal with all of the lower-level Smart Card stuff. With the adoption of PIV now as well, Entourage gains immediate support for that card spec as well without additional engineering. The list goes on when you consider all of the commercial Smart Card vendors that have realized the advantage and begun to provide a "tokend" for their proprietary Smart Cards. This is incredible integration that provided a seamless solution for them and for the customer. As I will undoubtedly be challenged on this point, I will concede that there were some transitional issues (PPC->Intel), but once those were addressed, the distinct advantages of the platform and the architecture became quit evident.
That said, there are a few commercial products that many of you use which do not yet leverage Apple's built-in Security Architecture and in this case the Keychain APIs for the storage, retrieval and access to identities (Certificate & Private key). Many of them have started to realize they can save themselves an incredible amount of development effort by adopting this architecture on Mac OS X and are transitioning. There are those holdouts that indicate customers are not asking for this capability -- to that I turn the table to you the customer and ask, "Are you requesting/requiring products from your vendors to integrate with Keychains on Mac OS X in an effort to capitalize on the built-in integration of your US Federal Smart Cards (CAC/GSC-IS/PIV) ?" If vendors hear the request and see the business opportunity, they will come!
The Smart Card industry is still pretty much the land of "proprietary solutions" and has been slow in adoption within the US directly related to that proprietary nature and stove pipe approach. However, I personally believe that an open Smart Card specification (i.e. PIV) will help to overcome that particular barrier and help drive extensive adoption. You can see for yourself by looking at how many Smart Card Vendors now provide PIV compliant Smart Card Management Systems to Government and Commercial customers. In contrast, the Common Access Card "CAC" specification was restricted to only be used by DoD.
On the Smart Card Reader front, that same convergence to a reliable standard with CCID is looking to be adopted more and more by all of the reader vendors. This will further ensure compatibility without stifling innovation from the manufacturers.
So to conclude here before I lose you, Apple has been working very hard to build, enhance and polish Smart Card integration in Mac OS X to ensure things just work for the user / admin / developer without exposing all of the complexities that technology brings with it -- especially on other platforms. We frequently hear from Federal customers that Apple needs to provide this or that to be accepted within the Enterprise. That said, many of you may be surprised to learn:
"Apple is the ONLY OS vendor to provide built-in Software support for the US Federal Smart Card Specifications (CAC/GSC-IS/PIV). "
This environment is never static, so there will always be new and exciting innovations on the way.
- Shawn _____________________________________________________ Shawn Geddis Security Consulting Engineer Apple Enterprise
|