Re: [Fed-Talk] Secure email with Mac and iOS
Re: [Fed-Talk] Secure email with Mac and iOS
- Subject: Re: [Fed-Talk] Secure email with Mac and iOS
- From: Paul Nelson <email@hidden>
- Date: Mon, 24 Oct 2011 08:10:29 -0500
On Oct 24, 2011, at 6:56 AM, Miller, Timothy J. wrote:
> On 10/21/11 4:03 PM, "seanmalone" <email@hidden> wrote:
>
>> Unlike an environment that normally backs up all 3 types of
>> certs in a Microsoft Identity Lifecycle Management server (ILM), it
>> appears we're only part way thru the process to achieve the goal of
>> being able to use iOS5's S/MIME capabilities with DoD-issued CAC certs.
>
> And you'll never get there. iOS5 has no smartcard infrastructure, and the
> application sandboxing means no third-party can extend the base platform
> *for other applications*. Ask Paul Nelson of Thursby--they approached
> Apple to do just that and were rebuffed. Apple, as usual, is completely
> inscrutable; so we can expect smartcard support to never happen--until the day it drops into a developer preview.
Thursby does work as closely as possible with Apple, but we all need to realize that smart cards on iOS are still in the infancy stage.
That said, Thursby is developing a version of PKard for iOS that provides a web browser that authenticates SSL/TLS using a CAC or PIV. While we have had some good results so far, we are not in Beta test yet. We are also working with OpenSSL to provide FIPS 140 certified crypto in our app sandboxes.
There are a few smart card readers available for iOS. One is the baiMobile 3000. This reader is available for sale. We are integrating at least two more readers into PKard. We believe that by January, you will have a choice of baiMobile, Precise Biometrics, one additional low price reader, and the PKard browser with FIPS 140 certified crypto. I think this is a good start.
As for sharing a smart card using an Apple provided framework, this would be a benefit to app developers, but also has the same problems that you find on the Mac platform. While Thursby is highly motivated to bring products to this relatively modest market, Apple has not been so inclined. To figure out why, just take a look at the recent iPhone 4s sales numbers.
So what to do for app developers? Thursby is looking into ways that will allow a third party app to make use of a smart card. We are also looking into allowing Web apps to use the smart card. However, these things raise many security issues related to trust. In my opinion, smart card users today trust their computers way too much in handling the details of communicating with a card. Do you really know for sure that your card is not being used to sign data surreptitiously? I doubt it. In the iOS environment, this risk is even higher with a fully integrated framework, and users wanting to install as many untrusted apps as possible.
I think a really good discussion on this list would be "What would I use my iPhone/iPad for if it worked with my CAC/PIV?"
> ...
> Actually this kind of fits with Apple's modus operandi, if you think about
> it. Apple's design intent is always to eliminate user decisions that are
> prone to error. This creates the 'seamless' experience we expect from
> Apple. Nothing in PKI is more prone to error than user-based trust
> decisions.
I would say this is true, and closely followed by untrusted software that has direct use of private keys without the user knowing it.
Paul Nelson
CTO
Thursby Software Systems, Inc. _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden