On Jan 24, 2013, at 8:51 AM, Shawn Geddis < email@hidden> wrote: OSX's Smart Card Services are backed by CDSA, which everyone should know was deprecated with the release of OS X Lion v10.7. On OS X, all of the architectural components are still there except the Tokend modules installer needs to be downloaded from our SmartCardServices Project @ MacOSForge.org as well as the need to add the authentication mechanism line back into /etc/authorization. Commercial products are also available to augment or replace what continues to be available from MacOSForge.org.
Maybe this question belongs on a development list, but I'm not clear about what this means. From an architectural/development point of view, how much of the infrastructure has gone away? Without tokend's, are keychains still supported? (Do smart cards still look like funny-named keychains?) Can you still daisy-chain keychain entries so one keychain entry can say to use another keychain for some specific thing?
There were thousands of pages of documentation for CDSA. While I was never up for reading them, it looked like it should be possible to associate Apple functionality with CDSA if you looked. The Apple doc's always seemed disjoint, and sparse on details. Without CDSA I'm left feeling like I can't find enough information to actually understand Apple's functionality.
Of course, maybe the real answer will depend on what happens in the validation process. *sigh* Given ubiquitous PKI support, the card should, IMO, be just an OS device driver issue, not an application issue.
I would agree that it would be very nice to rely on integrated services for use of various hardware tokens. I will strongly disagree that it is simply a device driver issue -- tight integration like smart cards have on OS X does not come through the OS vendor simply dropping in a device driver - it is much more than that.
Yeah, "device driver" is oversimplified. I meant the whole PIV/CCID/USB/(pcscd/tokend?)/keychain(or pkcs11) support stack. Given the OS has a ubiquitous API for interfacing with PKI credentials, the card should be supported by that API and not require every single application to write special card support code.
------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government.
|