Re: [Fed-Talk] Beta version of "keychain-pkcs11" available
Re: [Fed-Talk] Beta version of "keychain-pkcs11" available
- Subject: Re: [Fed-Talk] Beta version of "keychain-pkcs11" available
- From: "Blumenthal, Uri - 0553 - MITLL" <email@hidden>
- Date: Wed, 26 Sep 2018 17:38:58 +0000
- Thread-topic: [Fed-Talk] Beta version of "keychain-pkcs11" available
On 9/24/18, 12:24 PM, "Fed-talk on behalf of Ken Hornstein"
<fed-talk-bounces+uri=email@hidden on behalf of
email@hidden> wrote:
> >How about "ctk-pkcs11", for starters? While admittedly not great, at
> >least it does not mislead the reader.
>
> ... I don't think ctk-pkcs11 is any better, for two reasons: almost
nobody knows
> what CTK is, and it's also inaccurate as I don't actually make any calls
to the
> CryptoTokenKit framework.
This is not about users knowing or not knowing about CTK - it is about users
knowing about keychain and having certain expectations related to that. The
proposed name change removes those unfounded expectations.
You may not call CTK *directly*, but surely Security CTK framework actually
does call CTK on your behalf? So, it's not *that* inaccurate. ;-)
> Well, I mean no slight at the OpenSC people, but part of my motivation
> is that disabling the Apple-supplied Smartcard support is a tough
> sell in some environments, like ours.
Well, it's disabling "pivtoken" and running "OpenSC.tokend" instead. In my
experience, you could run them both without observable harm, so the "disabling"
may not be necessary. Regardless, whatever works... ;-)
> And from what I read for the documentation for OpenSCToken, your choices
on
> using it are: 1) live with it occasionally being deleted, or 2) install
it by disabling
> system integrity. That is a LARGE uphill battle to fight in some
environments.
I think you're correct here. But since OpenSCToken does not support older apps
like MS Office, there are no advantages for me using it (i.e., it's no better
than the native "pivtoken", maybe has better config options, which are
irrelevant because the target apps don't use CTK). So, I made sure it compiles,
and promptly forgot about it. ;-)
>> I wonder if you do smartcard policy enforcement with Apple-provided
>> "pivtoken".
>
> Well, it depends on what you mean.
I mean functionality similar to SmartCardVerify plugin that enforces computer
access policy. It matters because while it can be controlled from the Active
Directory side, we wanted the ability to temporarily disable when
authorized/needed. I don't think AD supports that.
> I was talking about the former; I realize we're kind of stuck with
> apps that only implement the CDSA API. As far as I know, there is no
> solution right for for these apps on High Sierra, right?
Current solution on High Sierra is OpenSC.tokend (yes, it works fine, so far).
And opensc-pkcs11 library that supports all the PKCS#11-capable apps, including
OpenSSL.
> I can only
> say that judging by the comments in Chrome, the changes that are needed
> to convert your app over to the newer API are not large, so hopefully
> those applications will migrate at some point.
Yes, I hope all the apps would eventually migrate, so I would be able to forget
maintaining a tokend fork, and use pivtoken for everything app-related... But
until that happy day, I'm stuck.
Could you please point me at the comments in Chrome about the changes required
for conversion?
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden