Re: [Fed-Talk] EAP-TLS Authentication with CAC on iPad or iPhone
Re: [Fed-Talk] EAP-TLS Authentication with CAC on iPad or iPhone
- Subject: Re: [Fed-Talk] EAP-TLS Authentication with CAC on iPad or iPhone
- From: "Miller, Timothy J." <email@hidden>
- Date: Thu, 24 Jan 2013 13:10:18 +0000
- Thread-topic: [Fed-Talk] EAP-TLS Authentication with CAC on iPad or iPhone
Just because he has a working application doesn't mean that application isn't working like Henry & I have described. Likely he's using Thursby's demonstration app or Good for iOS. Both apps are supporting smart cards exactly as we said; by providing the complete smart card SW stack themselves. This limits the user to the applications embedded in the app; e.g., Good for iOS embeds a mail client and a web browser, but Thursby embeds only a browser.
By way of contrast, ask him to fire up Apple's Safari on iOS and CAC authN to the AF Portal. It won't work. :)
-- T
________________________________________
From: Rubin, Bruce Civ USAF AFMC AFRL/RIEBA [email@hidden]
Sent: Wednesday, January 23, 2013 17:37
To: Henry B. Hotz
Cc: email@hidden Talk; Miller, Timothy J.
Subject: RE: [Fed-Talk] EAP-TLS Authentication with CAC on iPad or iPhone
Maybe this is like the Laws of Aerodynamics and the bumblebee because a
colleague where I work uses a CAC reader with his iPad (I don't think he is
pretending that it works).
-----Original Message-----
From: fed-talk-bounces+bruce.rubin=email@hidden
[mailto:fed-talk-bounces+bruce.rubin=email@hidden] On Behalf Of
Henry B. Hotz
Sent: Wednesday, January 23, 2013 4:28 PM
To: Miller, Timothy J.
Cc: email@hidden Talk
Subject: Re: [Fed-Talk] EAP-TLS Authentication with CAC on iPad or iPhone
While the hardware of iPhone/iPad will support USB devices (like cameras),
adding support for CCID-profile devices (smart card readers) violates the
security policies of the OS and must come from Apple.
The exception is that a single application can probably do so for its own
use. I'm guessing this is how Thursby are able to support the cards with
their own custom browser.
On Jan 14, 2013, at 8:27 AM, Miller, Timothy J. wrote:
> Apple's mobile device management (MDM) protocol is a key enrollment
> ceremony; after user authentication to the MDM, device enrollment
> actually results in a device key and device cert issued to it. While
> it's theoretically possible at the MDM side to enable PKI based user
> authentication, at the device side you need a client that supports the
> CAC. AFAIK, this requires iOS extensions, which would have to come
> from Apple. It's unclear to me if a third-party MDM client would work
> in a smart card context.
>
> In addition, the specifics of Apple's MDM protocol actually use Simple
> Certificate Enrollment Protocol (SCEP) for the actual certificate
> request/retrieval. The DoD PKI does not support SCEP, so even if you
> could conquer user authN in device enrollment, you still can't finish
> the process.
>
> -- T
>
> On 1/11/13 2:44 PM, "Matt Stier" <email@hidden> wrote:
>
>> Afternoon Folks,
>>
>>
>> I will soon be working with a DoD customer that wants to "get iPads
>> on the network." To me there are two primary hurdles and they are
>> using FIPS 140-2 validated crypto for WPA2-Enterprise (thankfully
>> Apple is back on the FIPS in process list) and second is the ability
>> to use certificate based authentication (EAP-TLS).
>> Unfortunately, standing up a CA like many of the commercial folks do
>> is a no go for us so we need to use the certs on our CAC.
>>
>>
>> Does anyone out there know of any agencies that have accomplished the
>> ability to associate a CAC with a network authentication profile? If
>> so, I would be very appreciative if you or they could share some
>> information to help save the tax payers some money!
>>
>>
>>
>> Feel free to contact me privately if you like.
>>
>>
>>
>> -Matt
>>
>> Matt Stier, CISSP/CWNA/ACMA
>> SPAWAR, Atlantic
>> Phone: 843.321.WLAN (9526) | Fax 843.218.6605
>> Email: email@hidden
>>
>>
>>
>>
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
------------------------------------------------------
The opinions expressed in this message are mine, not those of Caltech, JPL,
NASA, or the US Government.
email@hidden, or email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden