Re: [Fed-Talk] ECA Certificates - Smart Card options?
Re: [Fed-Talk] ECA Certificates - Smart Card options?
- Subject: Re: [Fed-Talk] ECA Certificates - Smart Card options?
- From: "Miller, Timothy J." <email@hidden>
- Date: Fri, 13 Apr 2012 18:24:10 +0000
- Thread-topic: [Fed-Talk] ECA Certificates - Smart Card options?
PIV, PIV-I, PIV-C, and CAC data models do not apply to ECA hardware tokens. Each ECA vendor is free to set its own data model for the tokens it issues.
If you need Mac support for an ECA vendor's tokens, that's something you need to address with the ECA vendor.
-- T
On Apr 13, 2012, at 10:33 AM, Disiena, Ridley J. (GRC-VO00)[DB Consulting Group, Inc.] wrote:
> Bob,
>
> I’m not very familiar with what Applet that is running, as it is not a CAC or PIV exactly and that’s likely the reason you are not seeing support for it. This looks like a reference:http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1052.pdf
> So as you appear to know, there needs to be a tokend to support, for that card / applet, if you are going to use it with that natively with OS X. The other option is to leverage PKCS11.
>
> One thing you may want to look into is the open source such as OpenSC or Coolkey. For support hardware:http://www.opensc-project.org/opensc/wiki/SupportedHardware It appears to have Cyberflex listed for support but the dependency is what applet its running, as well as a use at your own risk note. The site references Schlumberger cards, which changed to Axalto, then to Gemalto: http://www.opensc-project.org/opensc/wiki/Cyberflex That reference appears to be a depreciated reference to the pre-JAVA cards, but the card still might have support, I’m not sure. You might want to ask your question to the OpenSC lists.
>
> The other code project to look at is Coolkey, although it has historically had issues with the newer applet types, like those used on PIV and new CAC cards: https://bugzilla.redhat.com/show_bug.cgi?id=534172#c73 There is a thread about its difficulties with that card type you mention and it points the other thread:https://bugzilla.redhat.com/show_bug.cgi?id=652037
>
> You should probably follow up with ECA for cardstock / applet support for non-Windows. They may only be interfacing certificate issuance to that particular card / applet type so your question about getting a CAC card type and having them issue to it may not be possible.
>
> Ridley DiSiena CISSP
>
> From: fed-talk-bounces+ridley.disiena=email@hidden [mailto:fed-talk-bounces+ridley.disiena=email@hidden] On Behalf Of Bob Colbert
> Sent: Friday, April 13, 2012 9:37 AM
> To: email@hidden
> Subject: [Fed-Talk] ECA Certificates - Smart Card options?
>
> I have posted a few times on here about the External Certificate Authority type identity and encryption certificates for us poor, lowly contractors that need to communicate with the DoD. I obtain my ECA certificate from one of the DISA-approved third party vendors. The problem that I currently have is that my current Smart Card, a Gemalto Cyberflex Access 64K V2C, as reported by ActivClient in Windows, is not supported by the included tokends in Lion or the Pkard software doesn't work on this card type either.
>
> My primary goal for use of this ECA smart card is JPAS authentication, digital identity, and email encryption. Currently, I have to use Windows to do these functions. I don't mind using a Windows machine to initialize the certificates on the card, however, for everyday use, I would like to stay on the Mac side without having to boot VMWare just to send an email.
>
> Since it is probably less likely that support for the type of Smart Card that I have will be added, let me work the problem backwards. Please forgive me for perhaps oversimplifying the problem or misusing some of the terminology because I sort of look at the whole thing as a black box that should just "work" with out having to understand the technical details for your typical end user.
>
> But, is there a Smart Card vendor that I could buy some cards from that already are supported on the Mac with either default tokends or with Pkard support? From my observation from how the certificates are installed on my current card on Windows with ActivClient from the ECA vendor, the actual "brand" of Smart Card appears irrelevant as long as ActivClient supports it. For example, perhaps being dumb about it, can I buy a Smart Card from the CAC vendor before they officially become a CAC card? And use that Smart Card during the certificate generation process from the ECA vendor?
>
> Any help would be appreciated. I would like to minimize my use of Windows for these types of trivial tasks. Now if I could just get Pro/Engineer or Solidworks on the Mac, I would be set.
>
> Bob Colbert
> email@hidden
> DE Technologies, Inc.
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden