Re: [Fed-Talk] EAP-TLS Authentication with CAC on iPad or iPhone
Re: [Fed-Talk] EAP-TLS Authentication with CAC on iPad or iPhone
- Subject: Re: [Fed-Talk] EAP-TLS Authentication with CAC on iPad or iPhone
- From: "Henry B. Hotz" <email@hidden>
- Date: Wed, 23 Jan 2013 16:09:22 -0800
You guys do good work that deserves to be supported.
That said, I really wish that Apple would do what they did in Snow Leopard, where they said a standards-conforming reader and card should "just work" the way most cameras reportedly "just work" with iPhone/IPad. I note that an SCR-331 CCID-conforming card reader is *not* supported by iOS out of the box.
If iOS did what MacOS does, then Apple would make the card appear to be the same kind of credential as the soft-cert that you get from their MDM/SCEP process, and you would get EAP-TLS (and TTLS) with the smart card (and without the necessity of modifying the WiFi drivers to use your SDK).
Given ubiquitous PKI support, the card should, IMO, be just an OS device driver issue, not an application issue. Maybe you can get Apple to buy your stuff for inclusion in the next iOS? ;-)
On Jan 23, 2013, at 2:12 PM, Simon Hartley wrote:
> Henry:
> In reply to your point - Apple's MFi program is very specific around hardware and the apps that associate to it -- actually one of the ways in which they curate their ecosystem - less "weeds" in a "walled garden" idea.
>
> Our free secure browser supports a number of cards and a number of smart cards readers (not just our own).
>
> Rather than secure handling being limited to just our app, our free SDK allows those capabilities to be extended to other secure apps e.g. VPN, document signing etc.
>
> Regards,
> Simon @ Thursby
>
> On Jan 23, 2013, at 3:27 PM, Henry B. Hotz <email@hidden> wrote:
>
> While the hardware of iPhone/iPad will support USB devices (like cameras), adding support for CCID-profile devices (smart card readers) violates the security policies of the OS and must come from Apple.
>
> The exception is that a single application can probably do so for its own use. I'm guessing this is how Thursby are able to support the cards with their own custom browser.
>
> On Jan 14, 2013, at 8:27 AM, Miller, Timothy J. wrote:
>
>> Apple's mobile device management (MDM) protocol is a key enrollment
>> ceremony; after user authentication to the MDM, device enrollment actually
>> results in a device key and device cert issued to it. While it's
>> theoretically possible at the MDM side to enable PKI based user
>> authentication, at the device side you need a client that supports the
>> CAC. AFAIK, this requires iOS extensions, which would have to come from
>> Apple. It's unclear to me if a third-party MDM client would work in a
>> smart card context.
>>
>> In addition, the specifics of Apple's MDM protocol actually use Simple
>> Certificate Enrollment Protocol (SCEP) for the actual certificate
>> request/retrieval. The DoD PKI does not support SCEP, so even if you
>> could conquer user authN in device enrollment, you still can't finish the
>> process.
>>
>> -- T
>>
>> On 1/11/13 2:44 PM, "Matt Stier" <email@hidden> wrote:
>>
>>> Afternoon Folks,
>>>
>>>
>>> I will soon be working with a DoD customer that wants to "get iPads on
>>> the network." To me there are two primary hurdles and they are using
>>> FIPS 140-2 validated crypto for WPA2-Enterprise (thankfully Apple is back
>>> on the FIPS in process list) and second
>>> is the ability to use certificate based authentication (EAP-TLS).
>>> Unfortunately, standing up a CA like many of the commercial folks do is a
>>> no go for us so we need to use the certs on our CAC.
>>>
>>>
>>> Does anyone out there know of any agencies that have accomplished the
>>> ability to associate a CAC with a network authentication profile? If so,
>>> I would be very appreciative if you or they could share some information
>>> to help save the tax payers some money!
>>>
>>>
>>>
>>> Feel free to contact me privately if you like.
>>>
>>>
>>>
>>> -Matt
>>>
>>> Matt Stier, CISSP/CWNA/ACMA
>>> SPAWAR, Atlantic
>>> Phone: 843.321.WLAN (9526) | Fax 843.218.6605
>>> Email: email@hidden
>>>
>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
> ------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> email@hidden, or email@hidden
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
email@hidden, or email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden