Bob,
Comments inline below...
On May 5, 2010, at 2:06 PM, Bob Colbert wrote:
Shawn,
Thank you for the time to respond to this. This information is very helpful to get our Mac systems approved by DSS and be NISPOM compliant.
Coincidentally, I just saw one of your Apple website videos about Smart Card security because I was looking for a potential Smart Card solution for our ECA PKI certificates for DoD Contractors. I have had the software-based certificates that are expiring at the end of the month, and I was looking to see what was involved for the Smart Card solution with a corporate photo ID.
In short, You just need to have a corresponding Tokend that supports the Applet (profile) on the Smart Card and everything else is handled the same way as you do now with your soft-certs in Keychains.
I guess I have a follow-up question, more regarding PKI certificates, than your original reply about the Volatility Statement and Security Classification Guides. As I said, it was just coincidental that you appear to be involved with both.
I don't personally think it is coincidental considering that I manage all of these Volatility Statements, Security Configuration Guides and Smart Card Services. As the Enterprise Security Consulting Engineer at Apple, I also provide Enterprise (Public/Private Sectors) the necessary understanding and guidance on all things security related such as PKI.
As more and more of our DoD communications become encrypted, I think there definitely needs to be iPhone/iPad support for reading encrypted (S/MIME) emails. Pretty soon, I will be getting more "this email cannot be read on this device" messages on the iPhone/iPad (I have both, love them).
Agreed. I am a very strong advocate for this.
I saw in the iPhone OS 4 presentation that there will be support for encrypted emails, however I think that was more based on the device password as the key, rather the PKI infrastructure that is required for DoD communications.
Be very careful of the nuances of how that is said. What was said at the OS 4 keynote posted [1] (00:40:38) for viewing was that all of your email and attachments will be encrypted -- DAR. This second layer of encryption (sw on top of hw) would be keyed using your passcode. What you are asking about as you know is S/MIME -- Signing and Encrypting email. That is a feature that is not part of the current version 3.1.3/3.2 of iPhone OS, but you can get from a few third-party apps available for iPhone OS-based devices (iPhone/iPad/iPod Touch).
Maybe there is going to be support for that in iPhone OS 4,
Recall that I tried to encourage people to remember that unless it is publicly posted on Apple's websites or communicated from Apple, any other information about iPhone OS 4 is under NDA. Be careful here....
but the preliminary release info didnt seem to indicate that. Perhaps the problem is how/where to get the keys into the device and securely stored on it.
The iPhone OS starting back in the 2.X days already had Keychain support for the OS / All applications and is the secure storage for credentials such as X.509-based Identities. You can import Identities (Certs/Private Key) and Certificates into the System Keychain via Web download , Mail attachment, Config Profiles and into any Application that supports it directly by means of the App Comms. See the Enterprise Deployment Guide and iPhone Configuration Utility for more on Certs and Identities.
Maybe there could be a 30-pin connector gadget, much like the USB keys that store PKI certs that can be plugged into the bottom of the device to read/send encrypted emails.
"Made for iPod" program and ever since the iPhone OS 3.0 SDK was released, developers have had full capability of architecting just about any type of device and communicating with their application. This would be on an App by App basis.
Does Apple just plan to have the infrastructure built into the iPhone 4 OS or is it up to 3rd party developers to fill in this need?
I cannot say what Apple may or may not do in the future, but today this is quite possible by any ISV to interface to their own application.
Do you have any insight that can provide on this, or should I just "wait and see"?
Becoming an iPhone developer sure would get you access to NDA covered beta releases of iPhone OS along with related documentation. If you do not join that program, then you only have Apple publicly posted information to go by.