Re: [Fed-Talk] EAP-TLS Authentication with CAC on iPad or iPhone
Re: [Fed-Talk] EAP-TLS Authentication with CAC on iPad or iPhone
- Subject: Re: [Fed-Talk] EAP-TLS Authentication with CAC on iPad or iPhone
- From: "Henry B. Hotz" <email@hidden>
- Date: Wed, 23 Jan 2013 13:27:39 -0800
While the hardware of iPhone/iPad will support USB devices (like cameras), adding support for CCID-profile devices (smart card readers) violates the security policies of the OS and must come from Apple.
The exception is that a single application can probably do so for its own use. I'm guessing this is how Thursby are able to support the cards with their own custom browser.
On Jan 14, 2013, at 8:27 AM, Miller, Timothy J. wrote:
> Apple's mobile device management (MDM) protocol is a key enrollment
> ceremony; after user authentication to the MDM, device enrollment actually
> results in a device key and device cert issued to it. While it's
> theoretically possible at the MDM side to enable PKI based user
> authentication, at the device side you need a client that supports the
> CAC. AFAIK, this requires iOS extensions, which would have to come from
> Apple. It's unclear to me if a third-party MDM client would work in a
> smart card context.
>
> In addition, the specifics of Apple's MDM protocol actually use Simple
> Certificate Enrollment Protocol (SCEP) for the actual certificate
> request/retrieval. The DoD PKI does not support SCEP, so even if you
> could conquer user authN in device enrollment, you still can't finish the
> process.
>
> -- T
>
> On 1/11/13 2:44 PM, "Matt Stier" <email@hidden> wrote:
>
>> Afternoon Folks,
>>
>>
>> I will soon be working with a DoD customer that wants to "get iPads on
>> the network." To me there are two primary hurdles and they are using
>> FIPS 140-2 validated crypto for WPA2-Enterprise (thankfully Apple is back
>> on the FIPS in process list) and second
>> is the ability to use certificate based authentication (EAP-TLS).
>> Unfortunately, standing up a CA like many of the commercial folks do is a
>> no go for us so we need to use the certs on our CAC.
>>
>>
>> Does anyone out there know of any agencies that have accomplished the
>> ability to associate a CAC with a network authentication profile? If so,
>> I would be very appreciative if you or they could share some information
>> to help save the tax payers some money!
>>
>>
>>
>> Feel free to contact me privately if you like.
>>
>>
>>
>> -Matt
>>
>> Matt Stier, CISSP/CWNA/ACMA
>> SPAWAR, Atlantic
>> Phone: 843.321.WLAN (9526) | Fax 843.218.6605
>> Email: email@hidden
>>
>>
>>
>>
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
email@hidden, or email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden