RE: [AKO Warning - Message fails DKIM verification] [Fed-Talk] CAC certificates not recognized by Keychain Access
RE: [AKO Warning - Message fails DKIM verification] [Fed-Talk] CAC certificates not recognized by Keychain Access
- Subject: RE: [AKO Warning - Message fails DKIM verification] [Fed-Talk] CAC certificates not recognized by Keychain Access
- From: "Miller, Timothy J." <email@hidden>
- Date: Fri, 19 Feb 2010 09:46:42 -0500
- Acceptlanguage: en-US
- Thread-topic: [AKO Warning - Message fails DKIM verification] [Fed-Talk] CAC certificates not recognized by Keychain Access
It's not the CACs, it's the software *accessing* the CACs. The underlying issue is there was a logical layout change made on the CAC to more efficiently use space as part of the transition from CAC to PIV.[1] Middleware that properly adhered to the Government Smart Card Interoperability Specification (GSC-IS) doesn't have a problem. However, some middleware authors took shortcuts and this change exposes them.
Frex., Red Hat's Coolkey won't work with the 144K cards either.
Welcome to the wonderful world of IT integration. :)
-- Tim
[1] For the curious, the big change (among others) was to move from three separate instances of the on-card PKI applet--each managing one CAC key--to one on-card PKI applet managing all three keys. GSC-IS requires that an accessing agent first query the card capability container (CCC) to discover the applet identifier prior to sending the select command to access the applet. This abstraction is present in the spec *specifically* to isolate accessing software (middleware) from changes to the card layout and applets. So what happened was that when the layout changed the PKI applet ID changed, and the CCC was updated. If your middleware does the right thing--i.e., ask the CCC where the key is and use the returned applet ID to select it--then all is well and good. More than one middleware author took the shortcut of hard-coding the PKI applet ID for each key, and skipped the CCC query step--and so they break on the new cards.
>-----Original Message-----
>From: fed-talk-bounces+tmiller=email@hidden [mailto:fed-
>talk-bounces+tmiller=email@hidden] On Behalf Of David
>Whitley
>Sent: Friday, February 19, 2010 8:24 AM
>To: Fed-talk List
>Subject: Re: [AKO Warning - Message fails DKIM verification] [Fed-Talk]
>CAC certificates not recognized by Keychain Access
>
>We've had some problems too, but not just with Macs. Evidently it's the
>new CACs that they are issuing. Here's the info from our IT folks:
>
>"This message applies to personnel who have recently been issued a new
>CAC (in the last week or two) or who may be getting a new CAC issued in
>the coming weeks/months.
>
>+++++++++++++++++++++++++++++++
>
>Current Situation: All SPAWAR CAC offices have started issuing a new
>"type" of CAC card. At present the automated registration process is
>unable to accommodate these new cards. No registration means no access
>to NMCI email, NERP, DTS, etc. (any system that requires your CAC for
>authentication).
>
> - To identify a new "type" of CAC: Look at the writing above
>the magnetic strip on the back of the card. New CACs are identified by
>the word 144K. Older CACs have the word 72K instead.
>
>++++++++++++++++++++++++++++++
>
>Action: Until the website is able to process these new CACs, personnel
>receiving a new CAC should contact the local RDT&E Help Desk. They will
>assist users in getting the certificates located on the new CAC manually
>registered.
>
>It is also highly recommended that if your CAC is expiring soon, you get
>a new one issued ASAP to avoid any certificate registration issues which
>will result in a loss of productivity, etc."
>
>++++++++++++++++++++++++++++++
>
>
>
>
>David R. Whitley Jr.
>Email: mailto:email@hidden <mailto:email@hidden>
>
>
>
>
>On Feb 18, 2010, at 10:55 PM, William Hill wrote:
>
>
> List:
>
> A friend is having trouble getting his MacBook to recognize his
>certificates.
>
> Keychain Access shows his CAC, however, when unlocked it doesn't
>show any certificates.
>
> He is able to log on to work PC and access sites that require a
>CAC.
>
> When I put my CAC in his reader, my certificates are shown as
>normal.
>
> Why is my CAC showing my certificates but his CAC doesn't show any
>certificates?
>
> - MacBook, OS 10.6.2
> - Active Identity USB v3 CAC reader
> - friend's CAC doesn't work - GEMAL TO TOPDLGX4 144 (numbers on
>the back start with these)
> - my CAC works - GEMAL TO GCX4 72K DI
>
> Thanks for your assistance,
>
> William Hill
> Great Lakes, IL
>
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>talk/email@hidden
>
> This email sent to email@hidden
>
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden