Re: [Fed-Talk] [EXTERNAL] Smartcard decryption not working under Sonoma
Re: [Fed-Talk] [EXTERNAL] Smartcard decryption not working under Sonoma
- Subject: Re: [Fed-Talk] [EXTERNAL] Smartcard decryption not working under Sonoma
- From: "Neely, Lee via Fed-talk" <email@hidden>
- Date: Fri, 9 Feb 2024 16:19:39 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=llnl.gov; dmarc=pass action=none header.from=llnl.gov; dkim=pass header.d=llnl.gov; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=484j8bPjEkOIndpmHp0KUANLXrM1GFbS5qxrf6Ui5Qw=; b=UCrHqIX727QEQhQy88LkNbC1pXwbjFV0qgW3IidgiqKYSKoscrvHMHNWQ/fa8ExsbVhomUSf3ZOXjlS4Ou+cyp9h9foOvOWsBnZysOnUCVGvbRteCPJ76GXo6KLNov7pOR1L2mT9ylL37c+JyzkIEeL00pEX4eplHKbVNuhVg8DxQ8I+rdObyHrSBTKkHsR3/SashVAVi27Os01liJ5Qfrms+NEVh1U/SfIaqe1wsznoI+cP1xNkFqbL8O1tfrYRRQqNpgBTSsTmNR5Q7c1cjuwQLf8lh2dQtgg2KPPiJYzpKbwM3xJ5kexBRkArQMbgMQmPLmMZXcLXjnKxYre+BA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WQXRvk/i9JNY7zXa85ClRRc1DmmfxQbspMidIVAcLd2RxQixfNZBmeD7NBvfhr9Fkqlf45OlD+cq9Xomy3fiZUc4a5HRWVvhNC64c1x+ii3SUq9jU/6pTlw7DGNiMQf4h9OqQFpRQwTBBYxT3cq6rt0Z/P8K+FKzTwkes7HfFJ8obdCNr9fKG+80aTP3Fa2iTDAeRYTlhSLM0OXxmszzh2sAzT5/eoZ0IZFc3ebK9MIoMsQ4HfWWHXNPK9c148a6gA5786uDmpbBh/A5w/Lp8HegEs44s4WSY7yIdlNuHheBoaw8WN+gyhKC6xUMT9GJc/gRrxe56q5lMmJNOiiswA==
- Thread-topic: [Fed-Talk] [EXTERNAL] Smartcard decryption not working under Sonoma
For example, in Outlook, I get prompted to decode, prompted to reply, prompted
to send, and prompted to file in another folder. And on send I can get
prmompted multiple times, depending on how many signature operations ... (You
get it – I think the max we counted was 12 times for a single message in a
thread.)
The trick is soft-certs in the keychain mask this behavior from an end user.
(We’re looking to transition to hard certs – PIV/PIV-D/YK/etc.)
We were looking for ways to cut that back and started working with a vendor on
a custom version of the Apple CTK which allowed for caching of the PIN. There
is a NIST guide (sorry I’m not citing it.) – The idea is to cut down the number
of times a user is prompted, not eliminate it. We haven’t finished that work –
but initial testing found if we cached it for a few minutes the user experience
improved incredibly. Each app’s cache is separate, and the cache timeout is
configurable.
I realize there are guidelines/standards about how ofen that PIN prompt should
happen. To me this is one of the cases where we need to balance security and
user experience. I don’t want to have users opt-out of secure practices.
I appreciate that ask of Apple to make a change, (please don’t back off on the
ask) and it doesn’t hurt to look for alternatives.
Lee
From: Rowe, Walter P. (Fed) via Fed-talk <email@hidden>
Date: Friday, February 9, 2024 at 7:57 AM
To: Ken Hornstein <email@hidden>
Cc: email@hidden <email@hidden>
Subject: Re: [Fed-Talk] [EXTERNAL] Smartcard decryption not working under Sonoma
This issue has been discussed here before. Someone with a PKCS11 plugin noted
the likely culprit in terms of at what stage they are signing the message
because their own plugin avoided this. I don't recall the person's name. We
(NIST) reported the issue after the Ventura upgrade that introduced this issue
with lots of illustrated / narrated videos. Apple is fully away of the issue
and seems to know how to fix it. I encourage as many people as possible to open
cases for this. The broader the impact we can demonstrate, the more priority
they may put on fixing it.
Walter
--
Walter Rowe, Division Chief
Infrastructure Services Division
Mobile: 202.355.4123
On Feb 9, 2024, at 9:53 AM, Ken Hornstein <email@hidden> wrote:
I still experience one annoyance .. when composing a new email in Apple
Mail with Signing enabled .. I am frequently asked for my PIN.
My assumption is that auto-saving the draft is also signing it. It
should only sign the message once after we press Send.
AFAIK, this behavior has been around for a while; also, you get 3 PIN
prompts when you send that signed message. I can sort of understand
TWO PIN prompts (one thing that happens is some APIs encourage you do
a "trial" signing to determine the signature size and then try signing
again with a buffer allocated with the correct size), but the third one
has always mystified me.
A year or two ago I had "office hours" with someone at Apple and I asked
them about this issue (along with many other things). They tracked down
one of the bugs reported on this issue, and I was basically told this
was low priority and unlikely to be fixed anytime soon.
A previous version of the Security framework (I think back in High
Sierra) had a comment saying that it did PIN caching _in_ the Security
framework to reduce PIN prompts in Mail.app and this code was going
to be removed in the future as it was going to be fixed in Mail.app
directly. Obviously that caching code was removed but it was never
addressed in Mail.app. I know from my work on keychain-pkcs11 it's
possible to do some authentication caching to reduce PIN prompts but
the exact details on how to do that is unfortunately extremely
undocumented, even for Apple.
--Ken
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden