Re: [Fed-Talk] YubiKeys on macOS and iOS — ditch your CAC
Re: [Fed-Talk] YubiKeys on macOS and iOS — ditch your CAC
- Subject: Re: [Fed-Talk] YubiKeys on macOS and iOS — ditch your CAC
- From: Dave Schroeder via Fed-talk <email@hidden>
- Date: Wed, 22 Mar 2023 22:03:39 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=wisc.edu; dmarc=pass action=none header.from=wisc.edu; dkim=pass header.d=wisc.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9+8JBZYlQalBHPDM5jQezFcUSjNQg7fNA9YCb79D5tI=; b=KJBwB3OiWQAnGfdLmEyTv6c5jNPAvEbfRoUSgNWauD9vBE9k7XRvmcoFe4WXBGCbdtTnLIPcye8gaEzYmic1H3H/GdnUWdIsll4S2Gs0trhnwaSTzgh9EBbKxDfWLEOJV9UhKQo+3BU3cOaJf7ruBW7ta/qkOZGVMgY09SLpnj9wAZv7ExUuSJ73XCrBYo2cK6eePyqByIbmkkydh/RDw6KXIoF/lMBP/VHQGD1haKfTHZKYAFAXFwwBdcsOMJMQCFdDERQ2w5QbSkOi8S68xbjogmZVMbz2XdgTOgi/L6j/AaAKnzLs+CMmy69EBw5Ob6upBjMoz/MTtD/chPUYGA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DerfdCBclZuksuUlydAqzDHM0uA792kmcjrcpVAzQE6snzNFl7N4yWCpraXBrEMMAJYF+JlaFV10QeyyEHPiWyGmgg/+hAHYs9qR0rO0dZBPGnpWW+BVL41OTDEWQvoQUutS6c8XN5E67M0aHCrCEyxSx9gGxoyWJjxntF8PSgiS0GISrhfJJgTd7ikM+wveFKiFI29OhWOzGcMCImape8WDe4cE9kQmdcBGq074Zm7wClIRMktCC7xifsNujU/q7wpljW21N0DkuiFPC5RSJgWDEIZPCMcnMBUy/BzKRMwJYrRTyGxL8qgqgWloy0ftikdSqi3H7Jc7iTr2lmYU0g==
- Thread-topic: [Fed-Talk] YubiKeys on macOS and iOS — ditch your CAC
> On Mar 22, 2023, at 4:41 PM, Ken Hornstein via Fed-talk
> <email@hidden> wrote:
>
>> The enrollment process requires a PureBred Agent to do a little
>> back-and-forth with the user, exchanging OTPs and such, and needs to
>> happen on NIPR (to include AVD).
>
> In my limited, imperfect experience this is the challenging part.
Indeed; however, it is possible for this part to be easy. I can provision a
key, remotely, in less than 5 minutes.
>> Once provisioned, it can be used in place of a CAC and reader.
>
> I mean, yes, that's true. And it is interesting some of the YubiKeys
> work on iOS (although there are CAC readers for iOS). I haven't tried
> a PureBred derived certificate on a YubiKey, but I have experimented
> with just a straight DoD certificate and key on a YubiKey 5 for testing.
> Those YubiKeys present themselves as PIV cards, which is good in
> that means there isn't any new software required. But in my limited
> experience it's not the CAC that is the problem, it's <gestures broadly
> at everything> all of the other associated PKI baggage that ends up
> being an issue. I don't see how a YubiKey solves that, unless your
> issue is "I really need two CACs to make my life easier". Which, if
> that's your issue: fair enough!
I'm using it as a CAC replacement. In my case, I use probably 3 dozen or so
CAC/PIV-enabled sites (DOD, Army, and general USG) on a regular basis. It works
in place of my CAC on all of them, and also works for other tasks, such as PDF
and email signing. The only site it didn't work on for me was
https://www.intelink.gov <https://www.intelink.gov/>, and that was only because
Chrome on macOS wasn't sending the DOD DERILITY CA-1 root CA, and Intelink
didn't yet have this CA in their trust store.
It also removes a huge reader hanging off the side of my laptop, and does
provide some "makes my life easier" options. But I do believe it's a more
user-friendly solution (once provisioned).
> I am curious if the certificate you get out of PureBred has one of
> the DoD "medium hardware assurance" certificate policies; I suspect
> it doesn't (that is a specific DoD-related concern).
It is Medium Hardware Assurance (AAL3).
>
> --Ken
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden