[Fed-Talk] OpenSC SCA and DoD CACs
[Fed-Talk] OpenSC SCA and DoD CACs
- Subject: [Fed-Talk] OpenSC SCA and DoD CACs
- From: "Miller, Timothy J." <email@hidden>
- Date: Mon, 20 Apr 2009 15:46:59 -0400
- Acceptlanguage: en-US
- Thread-topic: OpenSC SCA and DoD CACs
FYI, though many already know this:
If you have a DoD CAC issued from a RAPIDS 7.3 station your card includes
the PIV data model and certs. In short, recent CACs issued in the last year
*should* be PIV compliant (I can't guarantee every DEERS/RAPIDS workstation
has been updated). Cards with the PIV and CAC data models work with the
OpenSC stack (thanks to Doug Engert and others) as PIVs.
This is useful because the OpenSC PKCS#11 module is, shall we say, a bit
more stable than RedHat's Coolkey and installs more cleanly. Frex.,
launching/quitting Firefox doesn't hang when the card is inserted. :)
http://www.opensc-project.org/sca/
The module will be installed here:
/Library/OpenSC/lib/pkcs11/opensc-pkcs11.so
One note: Since there appears to be no way to control which tokend takes
control of a card without rebuilding the damn things, CDSA applications
(Keychain Access, Mail, Safari, etc...) will still see your card as a CAC.
Only applications you configure to use the OpenSC PKCS#11 module will see
the card as a PIV (Firefox, Camino, Thunderbird, etc.).
Another note: If you really want to use your CAC as a PIV in the OS, you
need to move the CAC.tokend *out* of /System/Library/Security/tokend/. The
Apple PIV tokend will drive new CACs just fine. You *can* also move the
PIV.tokend out and use OpenSC.tokend. I don't particularly recommend either
of these, but it doesn't do any harm.
-- Tim
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden