Re: [Fed-Talk] MacOS X Catalina & CAC support
Re: [Fed-Talk] MacOS X Catalina & CAC support
- Subject: Re: [Fed-Talk] MacOS X Catalina & CAC support
- From: "Blumenthal, Uri - 0553 - MITLL via Fed-talk" <email@hidden>
- Date: Tue, 8 Oct 2019 18:00:38 +0000
- Thread-topic: [Fed-Talk] MacOS X Catalina & CAC support
> I cannot claim to understand everything about the Security framework,
> but I do not believe that "new API" applications will be able to access
> smartcards that are only available via tokend.
Tokend makes the certificates accessible via the same API that apps use to
access soft certs in the keychain. In fact, it makes the token appear as
another keychain. That's why the "new API" apps should be able to access
smartcards via Tokend: they won't be able to tell the difference between a soft
cert and a cert-on-the-token.
> In my experience when
> you call SecItemCopyMatching() and say you want identities that are on
> a smartcard you don't see tokend-presented identities. So if Mac-native
> apps have migrated completely to SecItemCopyMatching() then they probably
> won't work when you are using tokend.
I can't claim to understand Apple approach/design at all, but if those apps
don't *explicitly* demand a *smartcard-based* identity - they should work.
> Chrome calls both the old and new Security framework APIs explicitly
> for this reason, that's why it's one of the few applications that work
> with native smartcard support and a tokend.
I'd like to think that Chrome calls both because it wants to pick both "soft"
identities, and those on the HW tokens.
Standing ready to be corrected.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden