Update now that its no longer NDA,
Lion as shipped has no PIV.tokend in "/System/Library/Security/tokend/PIV.tokend"
What they did leave in was: - the PKCS#11 shim: "/usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so"
- This won't work without the PIV.tokend package
- the uiplugins: "/System/Library/Security/tokend/uiplugins/PIVViewerPlugin.bundle"
- This won't work without the PIV.tokend package
From what I understand, since it is not in the OS, it is no longer supported by Apple Support; please correct me if I'm wrong.
Having said that, for PIV users, moving the "/System/Library/Security/tokend/PIV.tokend" package from Snow Leopard appears to work fine and will allow Chrome and Firefox to work with client side SSL/TLS authentication.
For Safari in Lion, RFC5746 renegotiation for client side authentication is still broken.
Another alternative solution for PIV, is to use the OpenSC, open source code. Although the installer is for 10.6 it can be made to work on Lion. It includes a tokend and a PKCS#11 library. The PKCS#11 library works very well and does not require use of a tokend or the keychain.
Yet, another alternative is not to use OS X Lion since it fails to meet the M-11-11 mandate.
Any more info from Apple on this lack of Federal Support?
-Ridley
On Jul 11, 2011, at 11:25 AM, Disiena, Ridley J. (GRC-VO00)[DB Consulting Group, Inc.] wrote:
Since Lion is not released yet to the public, despite the presence of a Gold Master for developers or other people talking about it on the web, technically I believe it is still NDA. I will hold my comments until it is released to the public.
Just starting a thread because I think there Federal discussions that need to take place once they do release it to the public. There are some slight nuances that are different that CAC / CAC-NG support, therefor deserving of an additional thread.
-Ridley NASA Emerging Technology and Desktop Standards
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
|