Re: [Fed-Talk] Tokend discussion
Re: [Fed-Talk] Tokend discussion
- Subject: Re: [Fed-Talk] Tokend discussion
- From: John Daly <email@hidden>
- Date: Mon, 08 Jun 2015 08:38:35 -0700
I must be missing something, Shawn. You would think accessing the keychain would be the way to go, but Apple's own technologies don't work right with CAC when it's in the keychain.
With Open Directory network accounts, if logging into a file server that uses the same authentication server, it should automagically log the user into the server. Single sign on. Works great If logging in with username and password. It doesn't work if logged in with CAC though.
Can't log in to ssh using CAC.
CAC shows up in keychain just fine, so if it doesn't work when Apple does it, why would it work for 3rd party developers, and if Apple isn't using the keychain for their own technology, why would 3rd parties?
Apple has gone from having the best smart card support in the industry to barely being an also ran.
I can't even get it to reliably lock the screen when the CAC is removed from the system.
From the mind of me
> On Jun 6, 2015, at 7:25 PM, email@hidden wrote:
>
> Send Fed-talk mailing list submissions to
> email@hidden
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.apple.com/mailman/listinfo/fed-talk
> or, via email, send a message with subject or body 'help' to
> email@hidden
>
> You can reach the person managing the list at
> email@hidden
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Fed-talk digest..."
>
>
> Today's Topics:
>
> 1. Re: If DISA knows there is requirement they may fund
> development. RE: DISA transverse and DCS. Everyone on fed-talk
> open up tickets for TransVerse Apple Support. (Shawn A. Geddis)
> 2. Re: If DISA knows there is requirement they may fund
> development. RE: DISA transverse and DCS. Everyone on fed-talk
> open up tickets for TransVerse Apple Support. (Paul Nelson)
> 3. Re: If DISA knows there is requirement they may fund
> development. RE: DISA transverse and DCS. Everyone on fed-talk
> open up tickets for TransVerse Apple Support. (Shawn A. Geddis)
> 4. Re: If DISA knows there is requirement they may fund
> development. RE: DISA transverse and DCS. Everyone on fed-talk
> open up tickets for TransVerse Apple Support. (Paul Nelson)
> 5. Re: Tokend discussion... (Shawn A. Geddis)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 06 Jun 2015 17:50:03 -0700
> From: "Shawn A. Geddis" <email@hidden>
> To: "Mr. Raymond A. Jacob Jr" <email@hidden>
> Cc: Fed Talk <email@hidden>
> Subject: Re: [Fed-Talk] If DISA knows there is requirement they may
> fund development. RE: DISA transverse and DCS. Everyone on fed-talk
> open up tickets for TransVerse Apple Support.
> Message-ID: <email@hidden>
> Content-Type: text/plain; charset="utf-8"
>
> No “Application" developer should ever need to worry about or deal with tokend. Tokend publishes the Smart Card as a dynamic keychain to Keychain services and provides access to the objects on the card (Certificates, private keys, etc.). Application developers need to focus on using Keychain Services and they get the "Smart Card as a Keychain” for free.
>
> This is a common misconception within this group and one I hope we can overcome at some point in time.
>
> - Shawn
> _____________________________
> Shawn Geddis
> Security and Certifications Engineer
> Platform Security / CoreOS
>
>> On Jun 5, 2015, at 2:16 PM, Jacob, Raymond A Jr. CIV SPAWARSYSCEN-ATLANTIC, 58830 <email@hidden> wrote:
>>
>> If DISA knows there is requirement they may fund development of version that runs on a mac that supports
>> Tokend and runs TransVerse regardless of the type of CAC card the user has.
>> If DISA does not know there is a requirement from the users there is no reason for DISA or AFRL
>> to fund the contractor in order to implement support for Mac OS 10.10 or 10.9.
>>
>> Anyway that is my thinking,
>> raymond
>>
>> -----Original Message-----
>> From: email@hidden [mailto:email@hidden]
>> Sent: Friday, June 05, 2015 5:07 PM
>> To: Jacob, Raymond A Jr. CIV SPAWARSYSCEN-ATLANTIC, 58830
>> Subject: Re: [Fed-Talk] DISA transverse and DCS. Everyone on fed-talk open up tickets for TransVerse Apple Support. email@hidden or 1-614-692-0032 (Select Options 1, 3, 2, 4 to reach DCS)
>>
>>> Everyone on fed-talk open up tickets for TransVerse
>> Ok, I’m up for it…
>>
>> Clue me in on the what-why
>>
>>> On Jun 5, 2015, at 4:37 PM, Jacob, Raymond A Jr. CIV SPAWARSYSCEN-ATLANTIC, 58830 <email@hidden> wrote:
>>>
>>> 1. Re: DISA transverse and DCS
>>> Everyone on fed-talk open up tickets for TransVerse Apple Support.
>>> DCS User Support: Service Support Desk
>>> (email@hidden)
>>> Comm: 1-614-692-0032 (Select Options 1, 3, 2, 4 to reach DCS) DSN
>>> (CONUS): 850-0032 DSN (OCONUS) Country Code 312
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.apple.com/mailman/private/fed-talk/attachments/20150606/1ccdbd8d/attachment-0001.html>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 4455 bytes
> Desc: not available
> URL: <https://lists.apple.com/mailman/private/fed-talk/attachments/20150606/1ccdbd8d/attachment-0001.p7s>
>
> ------------------------------
>
> Message: 2
> Date: Sat, 06 Jun 2015 19:58:40 -0500
> From: Paul Nelson <email@hidden>
> To: "Shawn A. Geddis" <email@hidden>
> Cc: "Mr. Raymond A. Jacob Jr" <email@hidden>, Fed Talk
> <email@hidden>
> Subject: Re: [Fed-Talk] If DISA knows there is requirement they may
> fund development. RE: DISA transverse and DCS. Everyone on fed-talk
> open up tickets for TransVerse Apple Support.
> Message-ID: <email@hidden>
> Content-Type: text/plain; charset="utf-8"
>
>> On Jun 6, 2015, at 7:50 PM, Shawn A. Geddis <email@hidden> wrote:
>>
>> No “Application" developer should ever need to worry about or deal with tokend.
>
> But they do have to. Because there is not supported interface for developers like Thursby to make tokend, they break easily with new OS releases.
> My bug reports, filed and ignored for years, tell me that this is just the way life is.
>
> Paul Nelson
> CTO
> Thursby Software Systems, Inc.
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.apple.com/mailman/private/fed-talk/attachments/20150606/2915c6b1/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Sat, 06 Jun 2015 18:19:25 -0700
> From: "Shawn A. Geddis" <email@hidden>
> To: "Mr. Paul W. Nelson" <email@hidden>
> Cc: "Mr. Raymond A. Jacob Jr" <email@hidden>, Fed Talk
> <email@hidden>
> Subject: Re: [Fed-Talk] If DISA knows there is requirement they may
> fund development. RE: DISA transverse and DCS. Everyone on fed-talk
> open up tickets for TransVerse Apple Support.
> Message-ID: <email@hidden>
> Content-Type: text/plain; charset="utf-8"
>
> Paul,
>
> My note is clearly referring to “application developers” not middleware developers such as Thursby Software Systems, Inc. Applications do not interact *directly* with tokend in anyway - rather thru keychain services. Tokend interface has not changed for years and has allowed Thursby and others to continue with the same codebase. So, clearly tokend has not caused breaks for you with new os releases, but possible regressions in other services may have. Let’s be sure we focus on what component you are dealing with rather than lumping everything together in one bucket.
>
> I believe what you may be thinking of are other *related* services that may also rely on use of certificates from the card such as Login Window, Kerberos, PKINIT, etc. These other services are not SmartCardServices nor do they require the developer to alter tokend nor deal with it directly.
>
> I refer you again to my comment that “Application" developers do not need to deal with tokend and that has always been the case.
>
> Despite your unfortunate feeling that your radars are being ignored, I can assure you that is not the truth. Getting enhancements or regressions addressed in your timeframe may in fact be an issue, but it does not mean in any way that your radars are being ignored.
>
> - Shawn
> _____________________________
> Shawn Geddis
> Security and Certifications Engineer
> Platform Security / CoreOS
>
>>> On Jun 6, 2015, at 5:58 PM, Paul Nelson <email@hidden> wrote:
>>>
>>> On Jun 6, 2015, at 7:50 PM, Shawn A. Geddis <email@hidden <mailto:email@hidden>> wrote:
>>>
>>> No “Application" developer should ever need to worry about or deal with tokend.
>>
>> But they do have to. Because there is not supported interface for developers like Thursby to make tokend, they break easily with new OS releases.
>> My bug reports, filed and ignored for years, tell me that this is just the way life is.
>>
>> Paul Nelson
>> CTO
>> Thursby Software Systems, Inc.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.apple.com/mailman/private/fed-talk/attachments/20150606/fb382413/attachment-0001.html>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 4455 bytes
> Desc: not available
> URL: <https://lists.apple.com/mailman/private/fed-talk/attachments/20150606/fb382413/attachment-0001.p7s>
>
> ------------------------------
>
> Message: 4
> Date: Sat, 06 Jun 2015 20:31:48 -0500
> From: Paul Nelson <email@hidden>
> To: "Shawn A. Geddis" <email@hidden>
> Cc: "Mr. Raymond A. Jacob Jr" <email@hidden>, Fed Talk
> <email@hidden>
> Subject: Re: [Fed-Talk] If DISA knows there is requirement they may
> fund development. RE: DISA transverse and DCS. Everyone on fed-talk
> open up tickets for TransVerse Apple Support.
> Message-ID: <email@hidden>
> Content-Type: text/plain; charset="utf-8"
>
>> On Jun 6, 2015, at 8:19 PM, Shawn A. Geddis <email@hidden> wrote:
>>
>> Paul,
>>
>> My note is clearly referring to “application developers” not middleware developers such as Thursby Software Systems, Inc. Applications do not interact *directly* with tokend in anyway - rather thru keychain services. Tokend interface has not changed for years and has allowed Thursby and others to continue with the same codebase. So, clearly tokend has not caused breaks for you with new os releases, but possible regressions in other services may have. Let’s be sure we focus on what component you are dealing with rather than lumping everything together in one bucket.
> My apologies. You are correct that Application developers don’t need to worry, only the user base.
>
>>
>> I believe what you may be thinking of are other *related* services that may also rely on use of certificates from the card such as Login Window, Kerberos, PKINIT, etc. These other services are not SmartCardServices nor do they require the developer to alter tokend nor deal with it directly.
>>
>> I refer you again to my comment that “Application" developers do not need to deal with tokend and that has always been the case.
>>
>> Despite your unfortunate feeling that your radars are being ignored, I can assure you that is not the truth. Getting enhancements or regressions addressed in your timeframe may in fact be an issue, but it does not mean in any way that your radars are being ignored.
>
> My radar 9334857 was filed on 25-Apr-2011. I guess that I’m being impatient.
>
>>
>> - Shawn
>> _____________________________
>> Shawn Geddis
>> Security and Certifications Engineer
>> Platform Security / CoreOS
>>
>>>> On Jun 6, 2015, at 5:58 PM, Paul Nelson <email@hidden <mailto:email@hidden>> wrote:
>>>>
>>>> On Jun 6, 2015, at 7:50 PM, Shawn A. Geddis <email@hidden <mailto:email@hidden>> wrote:
>>>>
>>>> No “Application" developer should ever need to worry about or deal with tokend.
>>>
>>> But they do have to. Because there is not supported interface for developers like Thursby to make tokend, they break easily with new OS releases.
>>> My bug reports, filed and ignored for years, tell me that this is just the way life is.
>>>
>>> Paul Nelson
>>> CTO
>>> Thursby Software Systems, Inc.
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.apple.com/mailman/private/fed-talk/attachments/20150606/869512e1/attachment-0001.html>
>
> ------------------------------
>
> Message: 5
> Date: Sat, 06 Jun 2015 19:25:40 -0700
> From: "Shawn A. Geddis" <email@hidden>
> To: "Mr. Paul W. Nelson" <email@hidden>
> Cc: Fed Talk <email@hidden>
> Subject: Re: [Fed-Talk] Tokend discussion...
> Message-ID: <email@hidden>
> Content-Type: text/plain; charset="utf-8"
>
> Paul,
>
> (changed message subject to be relevant to the discussion taking place…)
>
>> On Jun 6, 2015, at 6:31 PM, Paul Nelson <email@hidden> wrote:
>> My apologies. You are correct that Application developers don’t need to worry, only the user base.
>
>
> Definitely not trying to be difficult, but it would appear you’re taking the thread in a different direction than the original message was focused on. That is fine and you have valid points, but it is very difficult to clear up confusion if the discussion points keep changing with each message. I personally believe that "Identity. Discuss. Resolve. Move on.” is a productive way to overcome challenges and confusion.
>
>>> Despite your unfortunate feeling that your radars are being ignored, I can assure you that is not the truth. Getting enhancements or regressions addressed in your timeframe may in fact be an issue, but it does not mean in any way that your radars are being ignored.
>> My radar 9334857 was filed on 25-Apr-2011. I guess that I’m being impatient.
>
> Looking at your radar...
>
> Radar: 9334857:
> Title: SecurityTokend is a private framework
> Filed on: 4/25/11
> Closed: 12/5/11 — ADR communicated with you and closed the radar.
>
> This is an interesting radar you bring up considering that it was closed on 12/5/11. It is not for a bug, regression nor an anomaly, but rather an enhancement request submitted against and prior to the release of OS X Lion which was ultimately released on July 20, 2011. Since we all know that the tokend modules were not shipped with OS X Lion due to their inherent reliance on CDSA which itself was deprecated with the release of OS X Lion, there are obvious reasons Apple would not have moved forward to document and perform the necessary work to make a framework publicly available if the foundation it is based on was deprecated at that same time. Why would a company promote the developers use technology that is being deprecated ?
>
> A significant amount of work has been going on, and continues, to modernize the whole foundation of SmartCardServices (i.e. CryptoTokenKit [1][2]) while simultaneously allowing you and everyone else to continue with utilizing a tokend already developed. Namely, replacements for ccid, pcscd, detachment from securityd and most importantly removal of the previous dependencies on CDSA. All the while you have been able to keep using your existing tokend modules. That is no small feat and it did quite honestly come with some regressions that were addressed.
>
> Guidance on discussion
> Now, this discussion and the whole thread has been on tokend which is only one piece of the integrated services required for seamless, os-wide use of a smart card for all services. If you have specific issues with other services (ie. Login, PKINIT, Kerberos, etc.) it is best to focus the attention on where the issue(s) remain and we get those addressed. I believe an unfortunate situation is that if *any* service relates to the use of smart cards and there are issues, then SmartCardServices are inappropriately blamed for the problem.
>
> SmartCardServices
> I have maintained the SmartCardServices project via MacOSForge.org <http://macosforge.org/> from Jan 2009 with source code, binaries and installers for folks to at least continue to use the services. There hasn’t been new feature/enhancement development via the project, since the architecture was deprecated in 2011. Some token specs have changed over the years, so some of the provided tokend modules are out of spec with respect to capabilities like “key history” support for PIV.
>
> Sorry you are not happy with what we have chosen to do or not do over the years. I can’t promise to change the past, but I will always promise to work with interested parties on working towards meeting the real needs of our customers moving forward. It will probably always be implemented differently than the way you think it should be done, but I will say without hesitation that we focus on "doing the right thing" — not just doing things. Not a commercial, just a thought!
>
>
> WWDC
> If you or others will be at WWDC on Monday, I will be there that one day only and would be happy to chat about this further.
>
> [1] What’s New in OS X <https://developer.apple.com/library/mac/releasenotes/MacOSX/WhatsNewInOSX/Articles/MacOSX10_10.html>
> [2] CryptoTokenKit Changes <https://developer.apple.com/library/mac/documentation/General/Reference/APIDiffsMacOSX10_10SeedDiff/frameworks/CryptoTokenKit.html>
>
> - Shawn
> _____________________________
> Shawn Geddis
> Security and Certifications Engineer
> Platform Security / CoreOS
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.apple.com/mailman/private/fed-talk/attachments/20150606/c845472d/attachment.html>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 4455 bytes
> Desc: not available
> URL: <https://lists.apple.com/mailman/private/fed-talk/attachments/20150606/c845472d/attachment.p7s>
>
> ------------------------------
>
> _______________________________________________
> Fed-talk mailing list
> email@hidden
> https://lists.apple.com/mailman/listinfo/fed-talk
>
> End of Fed-talk Digest, Vol 12, Issue 64
> ****************************************
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden