Re: [Fed-Talk] [EXTERNAL] Smartcard decryption not working under Sonoma
Re: [Fed-Talk] [EXTERNAL] Smartcard decryption not working under Sonoma
- Subject: Re: [Fed-Talk] [EXTERNAL] Smartcard decryption not working under Sonoma
- From: "Rowe, Walter P. \(Fed\) via Fed-talk" <email@hidden>
- Date: Fri, 9 Feb 2024 14:57:21 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wlugkYhHNOb1aD3xx7S49JMP/mHSfhuoDeYPyyK20n0=; b=mk5i3Ho2ZTAVIGxl5quhpdo5bC2KRkj568X2Pp/hBZo9evnkdOfsO43HNQA0LnFRckr79YSkGKrjb4aecuZMj2WC8Ub9XT/Fz1dtiLUArA34YV5TMJfbbycvuIlzt9wseXTkVzyPG0kyUV0/Qu7oBda92Gxlh0g8732AG4haIcmuKnFh9aeiRQtU3JaB6yVJh7mUqA16dn3Yaoqne1UHgOouVH5ABFDvRyArjjLZIj+/gM96znX6BacrOQgmWHE1LnGDKOSKXuWAja8JWYfpQbj3R5NC3laGloNchzVcvyGEDPzuwbEVEDkYtVMT6gn1jVOUJS8dq9t+wcMpmUhNsQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nCu/zr+K1fYA0S4JyqzvyIrKO1V1cu1vQWWWT+uVK0bx4jcBr6Nf2aEJsPVeX7+lAJu8g96pqQkhishSgvsZTQjQiHmR7XLmhmlm3cnDOLu/6wjLkw0Y4xLAbhgcFo1xrkYqCenWjBJb3gjGqka5Pwd56q1mWFvm9lwuDQDTJHlxF4UaAIKihVS+m/nimgTzSJTXHx78Js8XRsH8aF9oKPf8N1LOFgygvmOpMscMOvMYmcg8j5qzVjVMMfqe7iQ+Nbzx56jQCA+5XMc1HMtt85qntQGopbG7iw/KYidXA7bdp+a+Y8FeQnL9LTxwiLEQ5TRzVEDoUqiiERdt2Yo2SA==
- Thread-topic: [Fed-Talk] [EXTERNAL] Smartcard decryption not working under Sonoma
This issue has been discussed here before. Someone with a PKCS11 plugin noted
the likely culprit in terms of at what stage they are signing the message
because their own plugin avoided this. I don't recall the person's name. We
(NIST) reported the issue after the Ventura upgrade that introduced this issue
with lots of illustrated / narrated videos. Apple is fully away of the issue
and seems to know how to fix it. I encourage as many people as possible to open
cases for this. The broader the impact we can demonstrate, the more priority
they may put on fixing it.
Walter
--
Walter Rowe, Division Chief
Infrastructure Services Division
Mobile: 202.355.4123
On Feb 9, 2024, at 9:53 AM, Ken Hornstein <email@hidden> wrote:
I still experience one annoyance .. when composing a new email in Apple
Mail with Signing enabled .. I am frequently asked for my PIN.
My assumption is that auto-saving the draft is also signing it. It
should only sign the message once after we press Send.
AFAIK, this behavior has been around for a while; also, you get 3 PIN
prompts when you send that signed message. I can sort of understand
TWO PIN prompts (one thing that happens is some APIs encourage you do
a "trial" signing to determine the signature size and then try signing
again with a buffer allocated with the correct size), but the third one
has always mystified me.
A year or two ago I had "office hours" with someone at Apple and I asked
them about this issue (along with many other things). They tracked down
one of the bugs reported on this issue, and I was basically told this
was low priority and unlikely to be fixed anytime soon.
A previous version of the Security framework (I think back in High
Sierra) had a comment saying that it did PIN caching _in_ the Security
framework to reduce PIN prompts in Mail.app and this code was going
to be removed in the future as it was going to be fixed in Mail.app
directly. Obviously that caching code was removed but it was never
addressed in Mail.app. I know from my work on keychain-pkcs11 it's
possible to do some authentication caching to reduce PIN prompts but
the exact details on how to do that is unfortunately extremely
undocumented, even for Apple.
--Ken
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden