RE: [Fed-Talk] re: OpenSSL on OS X old?
RE: [Fed-Talk] re: OpenSSL on OS X old?
- Subject: RE: [Fed-Talk] re: OpenSSL on OS X old?
- From: "Gillett, Thomas J. (CMS/CTR)" <email@hidden>
- Date: Wed, 13 May 2009 11:28:15 -0400
- Thread-topic: [Fed-Talk] re: OpenSSL on OS X old?
A niche, I disagree our laptops are MANDATED to be fully encrypted, and
I'm certain many other federal facilities will as well. Pointsec has a
just released product for OS X but it has been riddled with bugs and
missing features that are really necessary for supporting a large user
base (Single sign on , AD integration). Perhaps , in some opinions this
is not enough security , but we must at least first meet these
requirements.
As for CAC , in windows if you take a recently issued smartcard
(PIV-II) and put it in a new machine , you will at least get a prompt
to enter your pin. In my experience , OS X Does not seem to even
recognize the card at the login screen , it still asks for a user name
and password. The Cards work once you login , but HSPD-12 Clearly
specifies that we must use these cards for both physical access ( access
to the building) and logical access ( logging into the computers).
Logging in with a username and a password and then just using the piv in
os x for email ... is just not good enough. We need support for HSPD-12.
In my opinion , there are third party applications or providers to
fulfill these requirements but, If apple is serious about federal
support, OS X should do what is federally required -- natively.
-----Original Message-----
From: fed-talk-bounces+thomas.gillett=email@hidden
[mailto:fed-talk-bounces+thomas.gillett=email@hidden] On
Behalf Of Timothy J. Miller
Sent: Friday, May 08, 2009 9:34 AM
To: David Emery
Cc: email@hidden; Trent Townsend
Subject: Re: [Fed-Talk] re: OpenSSL on OS X old?
David Emery wrote:
> The three big things that are essential from my perspective are
> a. full CAC integration, including Safari, Mail.app, and a means
> for 3rd party apps to make appropriate use of CAC Cards.
Ummm...Safari has a bug, but this was all done in 10.4. Smartcards are
fully integrated into CDSA (Common Data Security Architecture, and Open
Group managed standard framework). First-class OS X applications are
expected to use CDSA for security and cryptography, and if they do they
get access to smartcards for free.
> b. Whole-disk encryption (and that's something so dangerous to
> get wrong, that I think the OS vendor is the right vendor to do it.)
I disagree here. Disk encryption is a niche and belongs to third-party
vendors.
The actual issue is protecting data from unauthorized access, and to be
blunt disk encryption isn't the answer. Disk encryption only addresses
*one small part* of data protection; it *only* protects data in the slim
case where all users are logged out and the computer is *off* (not
asleep). I think you'll find in practice most mobile systems are asleep
with at least one user logged in.
Disk encryption doesn't protect your data from other users of the
system, which is a *much* bigger concern.
-- Tim
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden