Re: [Fed-Talk] Oberthur ID One 128 v5.5 cards (UNCLASSIFIED)
Re: [Fed-Talk] Oberthur ID One 128 v5.5 cards (UNCLASSIFIED)
- Subject: Re: [Fed-Talk] Oberthur ID One 128 v5.5 cards (UNCLASSIFIED)
- From: "Mueller, David S CIV SPAWARSYSCEN-PACIFIC, 58110" <email@hidden>
- Date: Fri, 13 May 2011 08:24:35 -0700
- Thread-topic: [Fed-Talk] Oberthur ID One 128 v5.5 cards (UNCLASSIFIED)
AKO works for me.
On 5/13/11 6:44 AM, "Shomo, Michelle L USA CTR (US)"
<email@hidden> wrote:
> Classification: UNCLASSIFIED
> Caveats: NONE
>
> The issue is that the OpenSC tokend is a PIV implementation and only
> interfaces with the PIV applet on the CAC. The PIV applet doesn't have
> access to the CAC ID Certificate, so you only have 3 certificates showing up
> in Keychain Access not 4. Sites like AKO which don't accept PIV certificates
> aren't accessible.
>
> The smart card login issue is that it isn't properly configured to unlock
> the system so you can't use your CAC to log back in this is independent of
> which certificate is used.
>
> Michelle
>
>
> -----Original Message-----
> From: Mueller, David S CIV SPAWARSYSCEN-PACIFIC, 58110
> [mailto:email@hidden]
> Sent: Thursday, May 12, 2011 2:08 PM
> To: Shomo, Michelle L USA CTR (US); Michael Kluskens; Fed-talk
> Subject: Re: [Fed-Talk] Oberthur ID One 128 v5.5 cards (UNCLASSIFIED)
>
> I haven't noticed a CAC vs PIV issue; as far as I know they're different
> applets that access the same certificates. So if a site wants the CAC ID
> cert, the PIV Auth cert should work as well.
>
> OpenSC provides both a Tokend (I disable Apple's CAC and PIV toeknd so
> there's not conflict) for keychain integration as well as a PKCS#11 module
> that can be used with Mozilla apps. I don't use smart card login, but I
> don't see why it would work using CAC vs PIV. Note that in the keychain,
> they would appear different so you'd have to make sure the PIV version is
> setup for what you need. I know for the Identity Preferences that Safari
> uses, I had to edit them reselect the certificate as the Preferred
> Certificate.
>
> - David
>
>
> On 5/12/11 10:16 AM, "Shomo, Michelle L USA CTR (US)"
> <email@hidden> wrote:
>
>> Classification: UNCLASSIFIED
>> Caveats: NONE
>>
>> This does not allow use of the CAC ID certificate. Only the PIV ID
>> certificate and the email signing and encryption certificates are
> available
>> with the OpenSC tokend.
>>
>> So it only partially solves the issue, as any system that requires
>> authentication using the CAC ID certificate, that doesn't accept the email
>> signing or PIV certificates instead, won't work.
>>
>> Also there is an issue if you try to use your CAC for logon to your Mac
>> (instead of UID password) if the screen lock requires authentication to
>> regain access you can't use the CAC to unlock and get back onto the Mac
> (and
>> if you try to use the CAC to unlock the Mac it hangs and you have to
>> forcibly power the system down to recover).
>>
>> Michelle
>>
>>
>> -----Original Message-----
>> From: fed-talk-bounces+michelle.l.shomo.ctr=email@hidden
>> [mailto:fed-talk-bounces+michelle.l.shomo.ctr=email@hidden] On
>> Behalf Of David Mueller
>> Sent: Thursday, May 12, 2011 11:46 AM
>> To: Michael Kluskens; Fed-talk
>> Subject: Re: [Fed-Talk] Oberthur ID One 128 v5.5 cards
>>
>> There was a post a couple months ago on the SmartcardServices-Users list
>> that suggests that OpenSC might work:
>>
>>
> http://lists.macosforge.org/pipermail/smartcardservices-users/2011-March/000
>> 211.html
>>
>> - David
>>
>>
>> On 5/12/11 8:38 AM, "Michael Kluskens" <email@hidden> wrote:
>>
>>> We got our first "Oberthur ID One 128 v5.5 cards" which don't work with
> OS
>> X,
>>> before this all the NG cards that OS X coworkers got were Gemalto's I
>> believe.
>>>
>>> The beta driver at <http://smartcardservices.macosforge.org/> says
>> "Oberthur
>>> ID One 128 v5.5 cards are not yet supported" and that is dated from one
>> year
>>> ago.
>>>
>>> We just encountered yet another .mil web site (extranet.onr.navy.mil)
> that
>>> does not work with Safari 5.x but works with Chrome, once again the same
>> bug I
>>> filed with Apple more than a year ago dating from almost precisely when
>> Safari
>>> 5 was released.
>>>
>>> Given the number of complaints I'm getting from coworkers about OS X and
>> DoD
>>> CAC cards what software product do we need to buy to get basic web and
>> mail
>>> support in OS X for DoD CAC cards. Thursby PKard for Mac is $30 but
> seems
>> to
>>> do only web access, does in include drivers that work with OS X Mail?
>>>
>>> Michael
>>
> Classification: UNCLASSIFIED
> Caveats: NONE
>
>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden