Re: [Fed-Talk] Lion - CAC and other Smart Cards
Re: [Fed-Talk] Lion - CAC and other Smart Cards
- Subject: Re: [Fed-Talk] Lion - CAC and other Smart Cards
- From: "Alcasid, James (Verisolv)" <email@hidden>
- Date: Thu, 21 Jul 2011 15:00:05 -0400
- Thread-topic: [Fed-Talk] Lion - CAC and other Smart Cards
Title: Re: [Fed-Talk] Lion - CAC and other Smart Cards
Bob, Just to echo your sentiments/thoughts. There is a lot of traffic on the whole CAC/PIV issue and it being a bug that Lion does not support it. I believe also that Apple has the engineering resources to do this but chooses to allocate efforts to other subsets of the operating system code. As much as it sorrows me that card credentials are not supported natively I am glad Apple is working on parts of the OS of higher visibility and leaving the other parts to expert third parties.
Best Regards,
James Alcasid
On 7/21/11 2:00 PM, "Bob Colbert" <email@hidden> wrote:
Shawn,
I may sound like a total tool here, but I don’t quite get why CAC or any SmartCard support is so hard. I posted about my particular ECA certificate card on the SourceForge SmartCard site in the bug fix area. I think you responded to me previously that it has something to do with parsing the profile, etc. I believe you responded that it was a matter of updating a section of the tokend code to adjust it, and it would take awhile to address it.
I know there is an acronym soup governing these things, but I guess I tend to look at this stuff as a black box. All of the basic internet services (DNS, DHCP, et.al) have RFCs governing their use, but fortunately the end-user is blissfully unaware of them because Apple (and other OS vendors) do a good job of just making it work.
Arent all of the different CACs and SmartCards just parsing something a little differently based on the byte layout or something? I write a lot of single use code in Excel, VB, Fortran, etc. for parsing text files and such for scientific computing. Once a overall framework is setup, isnt the parsing of the different CAC/Smart Cards just formatting the read statements a little differently? I am probably oversimplifying things a lot, but I guess my point is that the end-user shouldn’t have to think about the details of these things when all they want to do is connect to websites, and sign/encrypt emails with their CAC/Smart Card. The current situation is very un-Mac like.
The SmartCard issues cant be any harder than a lot of the problems developed and overcame for the current release of Lion. So my only conclusion is that it has to be a resource allocation/cost benefit issue to fix the current situation. Apple usually goes consumer first and does a great job of putting an ecosystem together. Believe me, I have a ton of Apple gear at home that I love. I guess solving the CAC/SmartCard issue perhaps isnt worth the money to solve for an admittedly much smaller audience than the entire consumer market segment.
I would digitally sign this email, but I would have to boot up my VMWare Fusion with XP in it to do so. ;-)
Bob Colbert
DE Technologies, Inc.
From: Shawn Geddis <email@hidden>
Date: Wed, 20 Jul 2011 13:49:57 -0400
To: Bob Colbert <email@hidden>
Cc: "email@hidden" <email@hidden>
Subject: Re: [Fed-Talk] Lion - CAC and other Smart Cards
On Jul 20, 2011, at 11:23 AM, Bob Colbert wrote:
Now the Lion has been released, can those of you that posted some additional information to the Developer Forums (because of the NDA) provide some of the info that is probably pertinent to those of us watching this list? Perhaps the most critical for those watching this list, is the purported non-support of CAC cards in Lion. The militarycac.com <http://militarycac.com> website is reporting that Pkard is the only option for CAC support for Lion. I swear I thought that Shawn Geddis has implied that the new CAC cards would be supported in Lion because the tokend was updated but not yet published to the Sourceforge site. Seems like a big disconnect. Maybe CAC support was pulled at the last minute?
My ;articular interest is also in the support of the ECA-type of certificates for us contractor-folk. Currently Pkard does not support these cards. Although Im pretty sure that someone from Thursby follows this list. Can you support some of these cards? My ORC-issued ECA Smart Card is reported as a Gemalto Cyberflex Access 64k V2C.
Bob Colbert
DE Technologies, Inc.
Bob,
With respect to OS X Lion, please see my previous message.
With respect to your "Gemalto Cyberflex Access 64k V2C". What Applet is loaded on the card ? On OS X, it is not actually the card per se that determines support or not, but rather what applet is loaded. OS X requires a Tokend for each Applet/Profile and if that is not recognized then OS X is unable to use the card. You would need to acquire a Tokend (open source or commercial) to support whatever applet is loaded on your Smart Card.
- Shawn
________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Enterprise Division
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
--
James Alcasíd ACSP | VeriSolv Technologies
Department of Veterans Affairs | Enterprise System Engineering
470 L’Enfant Plaza SW Suite 3100, Washington DC 20024
Office (202) 245-4573, Mobile (202) 340-8930
email@hidden, email@hidden
VA Mac OS X Integration Guide: http://go.va.gov/mz2i
VA APPLE OI&T Listserv: email@hidden
Note:
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost if you are not the intended recipient. If you receive this message in error, immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.
P Save Paper – Do you really need to print this e-mail?
13:3
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden