Re: [Fed-Talk] Oberthur ID One 128 v5.5 cards (UNCLASSIFIED)
Re: [Fed-Talk] Oberthur ID One 128 v5.5 cards (UNCLASSIFIED)
- Subject: Re: [Fed-Talk] Oberthur ID One 128 v5.5 cards (UNCLASSIFIED)
- From: "Miller, Timothy J." <email@hidden>
- Date: Fri, 13 May 2011 11:42:32 -0400
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Oberthur ID One 128 v5.5 cards (UNCLASSIFIED)
Up until recently AKO authenticated users by direct cert comparison; i.e., you had to present the same exact cert as the one you registered with. So if you registered your CAC ID cert you can't authN with the PIV-Auth cert. This is why you had to log on with a password and re-register each time you got a new CAC.
This has changed recently and IIRC you can now enable CAC-only authN, which will follow the Subject DN and is the same on every cert you get issued. Thus, you don't need to re-register with each new CAC, and you can authN with both the PIV-Auth and ID certs.
-- T
On May 13, 2011, at 10:24 AM, Mueller, David S CIV SPAWARSYSCEN-PACIFIC, 58110 wrote:
> AKO works for me.
>
>
> On 5/13/11 6:44 AM, "Shomo, Michelle L USA CTR (US)"
> <email@hidden> wrote:
>
>> Classification: UNCLASSIFIED
>> Caveats: NONE
>>
>> The issue is that the OpenSC tokend is a PIV implementation and only
>> interfaces with the PIV applet on the CAC. The PIV applet doesn't have
>> access to the CAC ID Certificate, so you only have 3 certificates showing up
>> in Keychain Access not 4. Sites like AKO which don't accept PIV certificates
>> aren't accessible.
>>
>> The smart card login issue is that it isn't properly configured to unlock
>> the system so you can't use your CAC to log back in this is independent of
>> which certificate is used.
>>
>> Michelle
>>
>>
>> -----Original Message-----
>> From: Mueller, David S CIV SPAWARSYSCEN-PACIFIC, 58110
>> [mailto:email@hidden]
>> Sent: Thursday, May 12, 2011 2:08 PM
>> To: Shomo, Michelle L USA CTR (US); Michael Kluskens; Fed-talk
>> Subject: Re: [Fed-Talk] Oberthur ID One 128 v5.5 cards (UNCLASSIFIED)
>>
>> I haven't noticed a CAC vs PIV issue; as far as I know they're different
>> applets that access the same certificates. So if a site wants the CAC ID
>> cert, the PIV Auth cert should work as well.
>>
>> OpenSC provides both a Tokend (I disable Apple's CAC and PIV toeknd so
>> there's not conflict) for keychain integration as well as a PKCS#11 module
>> that can be used with Mozilla apps. I don't use smart card login, but I
>> don't see why it would work using CAC vs PIV. Note that in the keychain,
>> they would appear different so you'd have to make sure the PIV version is
>> setup for what you need. I know for the Identity Preferences that Safari
>> uses, I had to edit them reselect the certificate as the Preferred
>> Certificate.
>>
>> - David
>>
>>
>> On 5/12/11 10:16 AM, "Shomo, Michelle L USA CTR (US)"
>> <email@hidden> wrote:
>>
>>> Classification: UNCLASSIFIED
>>> Caveats: NONE
>>>
>>> This does not allow use of the CAC ID certificate. Only the PIV ID
>>> certificate and the email signing and encryption certificates are
>> available
>>> with the OpenSC tokend.
>>>
>>> So it only partially solves the issue, as any system that requires
>>> authentication using the CAC ID certificate, that doesn't accept the email
>>> signing or PIV certificates instead, won't work.
>>>
>>> Also there is an issue if you try to use your CAC for logon to your Mac
>>> (instead of UID password) if the screen lock requires authentication to
>>> regain access you can't use the CAC to unlock and get back onto the Mac
>> (and
>>> if you try to use the CAC to unlock the Mac it hangs and you have to
>>> forcibly power the system down to recover).
>>>
>>> Michelle
>>>
>>>
>>> -----Original Message-----
>>> From: fed-talk-bounces+michelle.l.shomo.ctr=email@hidden
>>> [mailto:fed-talk-bounces+michelle.l.shomo.ctr=email@hidden] On
>>> Behalf Of David Mueller
>>> Sent: Thursday, May 12, 2011 11:46 AM
>>> To: Michael Kluskens; Fed-talk
>>> Subject: Re: [Fed-Talk] Oberthur ID One 128 v5.5 cards
>>>
>>> There was a post a couple months ago on the SmartcardServices-Users list
>>> that suggests that OpenSC might work:
>>>
>>>
>> http://lists.macosforge.org/pipermail/smartcardservices-users/2011-March/000
>>> 211.html
>>>
>>> - David
>>>
>>>
>>> On 5/12/11 8:38 AM, "Michael Kluskens" <email@hidden> wrote:
>>>
>>>> We got our first "Oberthur ID One 128 v5.5 cards" which don't work with
>> OS
>>> X,
>>>> before this all the NG cards that OS X coworkers got were Gemalto's I
>>> believe.
>>>>
>>>> The beta driver at <http://smartcardservices.macosforge.org/> says
>>> "Oberthur
>>>> ID One 128 v5.5 cards are not yet supported" and that is dated from one
>>> year
>>>> ago.
>>>>
>>>> We just encountered yet another .mil web site (extranet.onr.navy.mil)
>> that
>>>> does not work with Safari 5.x but works with Chrome, once again the same
>>> bug I
>>>> filed with Apple more than a year ago dating from almost precisely when
>>> Safari
>>>> 5 was released.
>>>>
>>>> Given the number of complaints I'm getting from coworkers about OS X and
>>> DoD
>>>> CAC cards what software product do we need to buy to get basic web and
>>> mail
>>>> support in OS X for DoD CAC cards. Thursby PKard for Mac is $30 but
>> seems
>>> to
>>>> do only web access, does in include drivers that work with OS X Mail?
>>>>
>>>> Michael
>>>
>> Classification: UNCLASSIFIED
>> Caveats: NONE
>>
>>
> <smime.p7s> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden