Re: [Fed-Talk] YubiKeys on macOS and iOS — ditch your CAC
Re: [Fed-Talk] YubiKeys on macOS and iOS — ditch your CAC
- Subject: Re: [Fed-Talk] YubiKeys on macOS and iOS — ditch your CAC
- From: Ken Hornstein via Fed-talk <email@hidden>
- Date: Wed, 22 Mar 2023 17:41:08 -0400
>The enrollment process requires a PureBred Agent to do a little
>back-and-forth with the user, exchanging OTPs and such, and needs to
>happen on NIPR (to include AVD).
In my limited, imperfect experience this is the challenging part.
>Once provisioned, it can be used in place of a CAC and reader.
I mean, yes, that's true. And it is interesting some of the YubiKeys
work on iOS (although there are CAC readers for iOS). I haven't tried
a PureBred derived certificate on a YubiKey, but I have experimented
with just a straight DoD certificate and key on a YubiKey 5 for testing.
Those YubiKeys present themselves as PIV cards, which is good in
that means there isn't any new software required. But in my limited
experience it's not the CAC that is the problem, it's <gestures broadly
at everything> all of the other associated PKI baggage that ends up
being an issue. I don't see how a YubiKey solves that, unless your
issue is "I really need two CACs to make my life easier". Which, if
that's your issue: fair enough!
I am curious if the certificate you get out of PureBred has one of
the DoD "medium hardware assurance" certificate policies; I suspect
it doesn't (that is a specific DoD-related concern).
--Ken
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden