Effort to rebuild smartcard services on Mac from ground up
Hello all, I'm mostly a frustrated smartcard user at this point, but I play the role of developer (or development manager) in my day job. So I have a combination of Mac OS X 10.10, Centrify (with its smartcard additions), PIV/CAC type smart cards, a Yubikey NEO, and would like it if GnuPG actually worked. Mostly, the CAC/PIV type smartcards actually work (I believe really related to the Centrify, but who knows, really…) but the YubiKey + GnuPG just do NOT work reliably (if at all.) Strangely, it seems like pcsctest can always find the card readers / devices attached to my machine reliably; but I do occasionally run into random bugs of things that simply don't work. And many of my colleagues with Mac's often have numerous problems with smartcards operating correctly. (I personally have 3 smartcards, not including the Yubikey NEO.) In generally, various colleagues use some combination of: the opensource tokend updates, Centrify, and Thursby PKard. But all solutions seem to have bugs / issues filed with Apple. My question is, to someone who hopefully has thought about this a lot more than I have looked into it: how many man months would it be to start over? Take an up-to-date drop of PCSC from open source and do a new cleanroom port to Mac possibly? Second question: would people even want that? Regards, Chris Inacio
If Apple releases the CryptoTokendKit API, there are indications that it may replace the need for PCSC: http://ludovicrousseau.blogspot.com/2014/11/os-x-yosemite-and-smart-cards-st... Of course CyptoTokenKit doesn't help us if Apple does not provide the API documentation. No indication of what would replace CDSA/tokend though. -Ridley From: Chris Inacio <nacho319@gmail.com<mailto:nacho319@gmail.com>> Date: Friday, April 17, 2015 at 11:46 AM To: "smartcardservices-dev@lists.macosforge.org<mailto:smartcardservices-dev@lists.macosforge.org>" <smartcardservices-dev@lists.macosforge.org<mailto:smartcardservices-dev@lists.macosforge.org>> Subject: [SmartcardServices-Dev] Effort to rebuild smartcard services on Mac from ground up Hello all, I'm mostly a frustrated smartcard user at this point, but I play the role of developer (or development manager) in my day job. So I have a combination of Mac OS X 10.10, Centrify (with its smartcard additions), PIV/CAC type smart cards, a Yubikey NEO, and would like it if GnuPG actually worked. Mostly, the CAC/PIV type smartcards actually work (I believe really related to the Centrify, but who knows, really…) but the YubiKey + GnuPG just do NOT work reliably (if at all.) Strangely, it seems like pcsctest can always find the card readers / devices attached to my machine reliably; but I do occasionally run into random bugs of things that simply don't work. And many of my colleagues with Mac's often have numerous problems with smartcards operating correctly. (I personally have 3 smartcards, not including the Yubikey NEO.) In generally, various colleagues use some combination of: the opensource tokend updates, Centrify, and Thursby PKard. But all solutions seem to have bugs / issues filed with Apple. My question is, to someone who hopefully has thought about this a lot more than I have looked into it: how many man months would it be to start over? Take an up-to-date drop of PCSC from open source and do a new cleanroom port to Mac possibly? Second question: would people even want that? Regards, Chris Inacio
2015-04-17 17:46 GMT+02:00 Chris Inacio <nacho319@gmail.com>:
Hello all,
Hello,
I'm mostly a frustrated smartcard user at this point, but I play the role of developer (or development manager) in my day job. So I have a combination of Mac OS X 10.10, Centrify (with its smartcard additions), PIV/CAC type smart cards, a Yubikey NEO, and would like it if GnuPG actually worked.
Mostly, the CAC/PIV type smartcards actually work (I believe really related to the Centrify, but who knows, really…) but the YubiKey + GnuPG just do NOT work reliably (if at all.)
What do you try to do with the YubiKey + GnuPG? Use it with Mail + Safari? Bye -- Dr. Ludovic Rousseau
I can't respond to Dr. Rousseau directly for list subscription reasons, so sorry about screwing up the thread a bit. I would be impressed if "gpg2 --card-status" didn't just hang. I understand that GPG has its own card server program and wants exclusive access to the Yubikey. GPG2 works on RARE occasion and I can't figure out the why's and when's even though I've tried. But from reading various looks at Apple's current smartcard service, it seems like it doesn't get a lot of love. I assume that Apple hasn't really dedicated a significant number of engineers to this. And from reading your blog, Dr. Rousseau, it doesn't feel like you believe in Apple's roadmap, at least from the parts that are visible. On Fri, Apr 17, 2015 at 11:46 AM, Chris Inacio <nacho319@gmail.com> wrote:
Hello all,
I'm mostly a frustrated smartcard user at this point, but I play the role of developer (or development manager) in my day job. So I have a combination of Mac OS X 10.10, Centrify (with its smartcard additions), PIV/CAC type smart cards, a Yubikey NEO, and would like it if GnuPG actually worked.
Mostly, the CAC/PIV type smartcards actually work (I believe really related to the Centrify, but who knows, really…) but the YubiKey + GnuPG just do NOT work reliably (if at all.)
Strangely, it seems like pcsctest can always find the card readers / devices attached to my machine reliably; but I do occasionally run into random bugs of things that simply don't work. And many of my colleagues with Mac's often have numerous problems with smartcards operating correctly. (I personally have 3 smartcards, not including the Yubikey NEO.) In generally, various colleagues use some combination of: the opensource tokend updates, Centrify, and Thursby PKard. But all solutions seem to have bugs / issues filed with Apple.
My question is, to someone who hopefully has thought about this a lot more than I have looked into it: how many man months would it be to start over? Take an up-to-date drop of PCSC from open source and do a new cleanroom port to Mac possibly?
Second question: would people even want that?
Regards, Chris Inacio
Hello Chris, Chris Inacio schreef op 22/04/15 om 21:2359:
I can't respond to Dr. Rousseau directly for list subscription reasons, so sorry about screwing up the thread a bit.
I would be impressed if "gpg2 --card-status" didn't just hang. I understand that GPG has its own card server program and wants exclusive access to the Yubikey. GPG2 works on RARE occasion and I can't figure out the why's and when's even though I've tried.
But from reading various looks at Apple's current smartcard service, it seems like it doesn't get a lot of love. I assume that Apple hasn't really dedicated a significant number of engineers to this. And from reading your blog, Dr. Rousseau, it doesn't feel like you believe in Apple's roadmap, at least from the parts that are visible.
From my POV of some years in a SmartCardServices-dependent project (on OSX, at least, we support 2 other platforms), I can tell you that Apple effectively doesn't care one damn bit. After our years-long attempts at getting the slightest bit of information about the largely invisible roadmap, we got.. zero response.. Even mentioning the 11 million potential users didn't get their attention.. My impression: Apple, being a US company, needs to appear "patriotic" and "supporting the troops" etc.. so they cannot help but support CAC cards, but otherwise, if you have a business model based on anything smart-card related involving Apple Inc.. RUN LIKE HELL! -f
On Fri, Apr 17, 2015 at 11:46 AM, Chris Inacio <nacho319@gmail.com <mailto:nacho319@gmail.com>> wrote:
Hello all,
I'm mostly a frustrated smartcard user at this point, but I play the role of developer (or development manager) in my day job. So I have a combination of Mac OS X 10.10, Centrify (with its smartcard additions), PIV/CAC type smart cards, a Yubikey NEO, and would like it if GnuPG actually worked.
Mostly, the CAC/PIV type smartcards actually work (I believe really related to the Centrify, but who knows, really…) but the YubiKey + GnuPG just do NOT work reliably (if at all.)
Strangely, it seems like pcsctest can always find the card readers / devices attached to my machine reliably; but I do occasionally run into random bugs of things that simply don't work. And many of my colleagues with Mac's often have numerous problems with smartcards operating correctly. (I personally have 3 smartcards, not including the Yubikey NEO.) In generally, various colleagues use some combination of: the opensource tokend updates, Centrify, and Thursby PKard. But all solutions seem to have bugs / issues filed with Apple.
My question is, to someone who hopefully has thought about this a lot more than I have looked into it: how many man months would it be to start over? Take an up-to-date drop of PCSC from open source and do a new cleanroom port to Mac possibly?
Second question: would people even want that?
Regards, Chris Inacio
_______________________________________________ SmartcardServices-Dev mailing list SmartcardServices-Dev@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/smartcardservices-dev
On Apr 22, 2015, at 1:48 PM, Frank Mariën <frank@apsu.be> wrote:
Hello Chris, Chris Inacio schreef op 22/04/15 om 21:2359: From my POV of some years in a SmartCardServices-dependent project (on OSX, at least, we support 2 other platforms), I can tell you that Apple effectively doesn't care one damn bit. After our years-long attempts at getting the slightest bit of information about the largely invisible roadmap, we got.. zero response.. Even mentioning the 11 million potential users didn't get their attention.. My impression: Apple, being a US company, needs to appear "patriotic" and "supporting the troops" etc.. so they cannot help but support CAC cards, but otherwise, if you have a business model based on anything smart-card related involving Apple Inc.. RUN LIKE HELL! -f
So unfortunate that you feel the need to slander that which you do not know. Apple does not provide OS roadmaps outside of what is provided at WWDC. Other than that, none of your statements above are true with respect to Apple Inc. or myself as an Apple employee leading this project. - Shawn _____________________________________________________________________ Shawn Geddis geddis@{Mac | Me | iCloud}.com Security and Certifications Engineer, Apple geddis@{apple}.com Smart Card Services Project/Dev Lead: Project Wiki: [SmartCardServices.MacOSFforge.Org <http://smartcardservices.macosfforge.org/>] Mailing Lists: [Lists.MacOSForge.Org/mailman/listinfo <http://lists.macosforge.org/mailman/listinfo>] SCS Contact: [scs-cotact@macosforge.org <mailto:scs-cotact@macosforge.org>] SCS Admin: [scs-admin@macosforge.org <mailto:scs-admin@macosforge.org>] _____________________________________________________________________
Sorry Shawn, nothing personal, but that's what it looks like from our perspective: - What road map? We're not going to go to a WWDC just to get two simple answers (we don't have the time, the staff, and Apple is just one platform we need to support). - They are really simple questions, but noone wants to commit to an answer.
So unfortunate that you feel the need to slander that which you do not know. And how can we 'know' what noone will tell us about?
Since you obviously *do* care, please feel free to show it and answer our year-long questions: (Frederik [in Bcc:], please correct/add, here's our chance) We need to keep supporting Middleware (pkcs#11 module for Firefox and others, whatever-is-required for Safari) for the Belgian eID ; All the frameworks we used to build have now been *deprecated* by Apple. We now have no idea: - Whether Apple will not suddenly drop support entirely and we'll only find out from an OSX pre-release. - How future versions of Key Chain/Safari will handle Smart Cards - Whether Apple *will* still support Smart Cards on a system level or whether we'll have to "ship-our-own" support for that (we've tried before to create tenable builds for SmartCardServices, ourselves, and it looks like others are trying that road, as well - see Chris) - Whether to contact folks like Centrify and Thursby because Apple will outsource all Smart Card support to them? - Whether Apple will suddenly produce a brand new Smart Card framework that we have to scramble to support? WHAT do we need to do to keep supporting our national ID card on OSX, now and for the "road map"pable future? (scope: at least the next year, every year) Eagerly awaiting Frederik's additions and your enlightening revelations. WKR, Frank. On 04/27/2015 06:51 AM, Shawn Geddis wrote:
On Apr 22, 2015, at 1:48 PM, Frank Mariën <frank@apsu.be <mailto:frank@apsu.be>> wrote:
Hello Chris, Chris Inacio schreef op 22/04/15 om 21:2359: From my POV of some years in a SmartCardServices-dependent project (on OSX, at least, we support 2 other platforms), I can tell you that Apple effectively doesn't care one damn bit. After our years-long attempts at getting the slightest bit of information about the largely invisible roadmap, we got.. zero response.. Even mentioning the 11 million potential users didn't get their attention.. My impression: Apple, being a US company, needs to appear "patriotic" and "supporting the troops" etc.. so they cannot help but support CAC cards, but otherwise, if you have a business model based on anything smart-card related involving Apple Inc.. RUN LIKE HELL! -f
So unfortunate that you feel the need to slander that which you do not know.
Apple does not provide OS roadmaps outside of what is provided at WWDC. Other than that, none of your statements above are true with respect to Apple Inc. or myself as an Apple employee leading this project.
- Shawn _____________________________________________________________________ Shawn Geddisgeddis@{Mac | Me | iCloud}.com Security and Certifications Engineer, Apple geddis@{apple}.com
Smart Card Services Project/Dev Lead: Project Wiki: [SmartCardServices.MacOSFforge.Org <http://SmartCardServices.MacOSFforge.Org>] Mailing Lists: [Lists.MacOSForge.Org/mailman/listinfo <http://lists.macosforge.org/mailman/listinfo>] SCS Contact: [scs-cotact@macosforge.org <mailto:scs-cotact@macosforge.org>] SCS Admin: [scs-admin@macosforge.org <mailto:scs-admin@macosforge.org>] _____________________________________________________________________
Addendum : We have seen apple create a new Crypto Token Kit API (obj C / Swift), and a ctkpcsc deamon that is most likely built on top of CTK. But we have no idea if a successor for tokend is planned and whether such will be based on CTK. WKR, -f On 04/27/2015 07:31 AM, Frank Marien wrote:
Sorry Shawn, nothing personal, but that's what it looks like from our perspective:
- What road map? We're not going to go to a WWDC just to get two simple answers (we don't have the time, the staff, and Apple is just one platform we need to support).
- They are really simple questions, but noone wants to commit to an answer.
So unfortunate that you feel the need to slander that which you do not know. And how can we 'know' what noone will tell us about?
Since you obviously *do* care, please feel free to show it and answer our year-long questions:
(Frederik [in Bcc:], please correct/add, here's our chance)
We need to keep supporting Middleware (pkcs#11 module for Firefox and others, whatever-is-required for Safari) for the Belgian eID ; All the frameworks we used to build have now been *deprecated* by Apple. We now have no idea:
- Whether Apple will not suddenly drop support entirely and we'll only find out from an OSX pre-release.
- How future versions of Key Chain/Safari will handle Smart Cards
- Whether Apple *will* still support Smart Cards on a system level or whether we'll have to "ship-our-own" support for that (we've tried before to create tenable builds for SmartCardServices, ourselves, and it looks like others are trying that road, as well - see Chris)
- Whether to contact folks like Centrify and Thursby because Apple will outsource all Smart Card support to them?
- Whether Apple will suddenly produce a brand new Smart Card framework that we have to scramble to support?
WHAT do we need to do to keep supporting our national ID card on OSX, now and for the "road map"pable future? (scope: at least the next year, every year)
Eagerly awaiting Frederik's additions and your enlightening revelations.
WKR, Frank.
On 04/27/2015 06:51 AM, Shawn Geddis wrote:
On Apr 22, 2015, at 1:48 PM, Frank Mariën <frank@apsu.be <mailto:frank@apsu.be>> wrote:
Hello Chris, Chris Inacio schreef op 22/04/15 om 21:2359: From my POV of some years in a SmartCardServices-dependent project (on OSX, at least, we support 2 other platforms), I can tell you that Apple effectively doesn't care one damn bit. After our years-long attempts at getting the slightest bit of information about the largely invisible roadmap, we got.. zero response.. Even mentioning the 11 million potential users didn't get their attention.. My impression: Apple, being a US company, needs to appear "patriotic" and "supporting the troops" etc.. so they cannot help but support CAC cards, but otherwise, if you have a business model based on anything smart-card related involving Apple Inc.. RUN LIKE HELL! -f
So unfortunate that you feel the need to slander that which you do not know.
Apple does not provide OS roadmaps outside of what is provided at WWDC. Other than that, none of your statements above are true with respect to Apple Inc. or myself as an Apple employee leading this project.
- Shawn _____________________________________________________________________ Shawn Geddisgeddis@{Mac | Me | iCloud}.com Security and Certifications Engineer, Apple geddis@{apple}.com
Smart Card Services Project/Dev Lead: Project Wiki: [SmartCardServices.MacOSFforge.Org <http://SmartCardServices.MacOSFforge.Org>] Mailing Lists: [Lists.MacOSForge.Org/mailman/listinfo <http://lists.macosforge.org/mailman/listinfo>] SCS Contact: [scs-cotact@macosforge.org <mailto:scs-cotact@macosforge.org>] SCS Admin: [scs-admin@macosforge.org <mailto:scs-admin@macosforge.org>] _____________________________________________________________________
participants (6)
-
Chris Inacio
-
Disiena, Ridley (MSFC-IS60)[EAST]
-
Frank Marien
-
Frank Mariën
-
Ludovic Rousseau
-
Shawn Geddis