Re: [Fed-Talk] MacOS X Catalina & CAC support
Re: [Fed-Talk] MacOS X Catalina & CAC support
- Subject: Re: [Fed-Talk] MacOS X Catalina & CAC support
- From: "Rowe, Walter P. \(Fed\) via Fed-talk" <email@hidden>
- Date: Tue, 8 Oct 2019 14:47:27 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6I7fTDxiuME2/X4CyYAOWT2E0TAriLm4N/HjptAM8VY=; b=fmxV1TZWF8/NTBsvjTWF5wLoqVHES3NHR1U0/7yIK83PYm2N3xcAbkREp6gLfd4O6OPjfpTSWrPcDNzR3uYGIAZrkKKhmIaz7jtp/hq37E2+RzXQIaEQAGJYR9Km1SW6lYm0UxIcfc9RXpHohRWBU6aM1qCWtZ25m6wplQ165WauQzmROrgQUJtPfOuRM+pZO0MGB8T+AJwTsM2P8P6eVJ1iOldAWxTH60J6wg1HsnjRFGuepAOJANMrYR3ko2eapShnMRVJ6Nr6Kf1htkru458kq5iY8AFeD24zKt9F1FirdamkRafYKn2Epy6nNVKeCP8OLZVYvFnS2UuCZNZA4A==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JgsxxF6V5NN7SIBcqmlaD00kLGM6S+IoGVTzXVC3INxtQbZYOw5rdxNEW492feaGJYnADaUwS1uBFma70QUBAfZzryGw5T9dKIZayIwH9Jo2l7ft1oAYvnLmtLZcO1HKCV7Gd9WWWq/NdEo9TumhaCz0Szjm1o8MMYe3Q1ZuSNVGlyA8K4kCfEcpJMhCmHBflFavXyXGqm2y9mYw6pwcU0KJD7hfwAAt2+pltZeA8VQm8R8qxBYXcivQ2noDOXfBOdAitQI8jLGQocPu5Nsq+5TrCilJ4czxwsLm0JoL93FmBcyN9jv6/35oWfeIj7SsvMDyAnLJVaHvvVeevGrDYw==
- Thread-topic: [Fed-Talk] MacOS X Catalina & CAC support
Apple Mail in Catalina does not find recipient certificates in Active Directory
in my testing. If you have a recipient certificate in your Keychain, it will
find it and you can encrypt the message. If you rely on finding recipient
certificates in Active Directory, Catalina Apple Mail does not find them. Our
Mac admin wrote a clever AppleScript service that will look at your recipient
list, use the security tool to find their certificates, and add them to your
local keychain. macOS High Sierra successfully looked up certificates in AD.
Mojave broke that. Early betas of Catalina fixed it. Later betas broke it again
and it remains broken.
Do others have a different (successful) experience with Catalina Apple Mail
finding recipient certificates in Active Directory?
Walter
--
Walter Rowe, Division Chief
Infrastructure Services Division
Office of Information Systems Mgmt
NIST / US Department of Commerce
Email: email@hidden<mailto:email@hidden>
Office: 301.975.2885
Mobile: 202.355.4123
On Oct 8, 2019, at 10:41 AM, Blumenthal, Uri - 0553 - MITLL via Fed-talk
<email@hidden<mailto:email@hidden>> wrote:
In my experience, OpenSC already supports Firefox and Acrobat perfectly, and is
available both as a source repo and as a binary package. In my opinion, this is
the best currently available option for smartcards (and not just CAC or PIV
tokens!) on Catalina - especially because there's a large community behind it
that provides pretty decent support. That works for all the apps with PKCS#11
capabilities, and for a large number of tokens.
Apple-native apps (Safari and Apple Mail) were migrated to CTK, so they can
access the tokens (CAC and PIV only) via "pivtoken" (standard with High Sierra,
Mojave, and Catalina).
The real problem is with those apps that still rely on CDSA API, rather than on
the new CTK - such as MS Office (AFAIK). Unfortunately, neither OpenSC (that
provides a PKCS#11 library), nor your keychain-pkcs11 (that provides a PKCS#11
library) can help with this issue. And OpenSC.tokend that addressed it up until
Mojave, won't work on Catalina.
On 10/8/19, 10:18 AM, "Fed-talk on behalf of Ken Hornstein via Fed-talk"
<fed-talk-bounces+uri=email@hidden<mailto:fed-talk-bounces+uri=email@hidden>
on behalf of email@hidden<mailto:email@hidden>> wrote:
Everyone,
It is my understanding that MacOS X Catalina has finally killed off support
for third-party token daemons ("tokend") which make smart cards available
via the older Keychain APIs.
I tested out my keychain-pkcs11 plugin, and it worked fine on Catalina
with Firefox (for web browsing) and Adobe Acrobat (for document
signing). Now obviously I am biased because I wrote keychain-pkcs11,
but as far as I know currently it is the only option for CAC/smartcard
support for those two applications on Catalina. If there are other
options to make these applications work on Catalina I would love to hear
about them. And if anyone has problems with keychain-pkcs11 I would
be interested in hearing about them.
--Ken
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list
(email@hidden<mailto:email@hidden>)
Help/Unsubscribe/Update your Subscription:
https://gcc01.safelinks.protection.outlook.com/?url=https://lists.apple.com/mailman/options/fed-talk/uri%40ll.mit.edu&data=02|01|email@hidden|3682fc4b279b412913e908d74bfd97e6|2ab5d82fd8fa4797a93e054655c61dec|1|0|637061424850715401&sdata=jtbDivvwbWvIgrakkT9p2560lI7AQtBrcu9O5cfAyb8=&reserved=0
This email sent to email@hidden<mailto:email@hidden>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list
(email@hidden<mailto:email@hidden>)
Help/Unsubscribe/Update your Subscription:
https://gcc01.safelinks.protection.outlook.com/?url=https://lists.apple.com/mailman/options/fed-talk/walter.rowe%40nist.gov&data=02|01|email@hidden|3682fc4b279b412913e908d74bfd97e6|2ab5d82fd8fa4797a93e054655c61dec|1|0|637061424850735428&sdata=MiM1nqyf9gnp12dd/nczbS63UP9iIxGT6HqElvzFfsw=&reserved=0
This email sent to email@hidden<mailto:email@hidden>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden