Has Apple worked out the next generation USB Token / Network HSM system support yet? From what I'm seeing, all the interfaces I am developing against for Symantec are deprecated - which is an unpleasant situation to be in, since technically the interface can be swiped out from under us.

Are there any plans on patching pcscd daemon or the ccid drivers? We are using Aladdin tokens and experience routine failures and "race conditions" between multiple applications using a device where even though transactions are properly used, hangs are encountered. This also bubbles up to SecurityD causing system hangs since it accesses pcscd as well.

If a third party were to upgrade pcscd or the ccid driver to resolve problems with what is installed at the system level, what sort of issues would we encounter if Apple were to push an update these components (or is it planned to never update these)?
- Would the apple update fail completely preventing further updates to the system?
- Would the update ignore the update to a changed system component?
- Would the update overwrite our changes?


On Fri, Feb 17, 2012 at 12:09 PM, Shawn Geddis <geddis@me.com> wrote:
On Feb 17, 2012, at 11:52 AM, Thomas Harning Jr. wrote:
> I see that 10.7 has CDSA and SmartCardServices deprecated, meaning it
> is out the door for 10.8.
>
> How would one build TokenD implementations since CDSA is an integral
> dependency (TokenD directly exposes/consumes CSSM* types)?
>
> Is there a new pluggable-crypto system in the works? If so, hopefully
> it can support software-driven interfaces (ex: those that aren't
> PC/SC, perhaps direct USB tokens or network-based devices)...

Thomas,

Deprecation of CDSA is what prompted the removal of the Tokend modules from OS X Lion.  If you restore them on an OS X Lion system, you will have capabilities restored.  The Tokend modules have been based on CDSA in OS X 10.4, 10.5, 10.6 and still can in 10.7.  Deprecation of CDSA means that it is no longer THE  Crypto/PKI architecture to rely on and that it will be gone in some future version of the OS - not exactly a guarantee it will be gone, but you can’t count on it being there in a future release once it has been publicly announced as deprecated.

Apple has not made any announcements with respect to future frameworks to provide the same or similar functionality.  I can say that it is extremely high on the customer request list for Token/SmartCard support on iOS & OSX.  Since CDSA is deprecated and was never going to make it to iOS (size/age/functionality working against it), Apple was always faced with looking at something new.

As for the "software-driven interfaces”, Tokend has been used quite a bit with USB Tokens and Network HSMs.  The system-wide support for abstracting Identities (of various types) for iOS / OSX is quite important.

Stay tuned to this space for future information.

-Shawn
__________________________________________________
Shawn Geddis                                                       geddis@me.com
Security Consulting Engineer                              geddis@apple.com

MacOSForge Project Lead:                           Smart Card Services
        Web:    http://smartcardservices.macosforge.org/
        Lists:  http://lists.macosforge.org/mailman/listinfo
__________________________________________________












--
Thomas Harning Jr. (http://about.me/harningt)