Re: [SmartcardServices-Dev] SmartCardServices in OSX 10.8
Has Apple worked out the next generation USB Token / Network HSM system support yet? From what I'm seeing, all the interfaces I am developing against for Symantec are deprecated - which is an unpleasant situation to be in, since technically the interface can be swiped out from under us. Are there any plans on patching pcscd daemon or the ccid drivers? We are using Aladdin tokens and experience routine failures and "race conditions" between multiple applications using a device where even though transactions are properly used, hangs are encountered. This also bubbles up to SecurityD causing system hangs since it accesses pcscd as well. If a third party were to upgrade pcscd or the ccid driver to resolve problems with what is installed at the system level, what sort of issues would we encounter if Apple were to push an update these components (or is it planned to never update these)? - Would the apple update fail completely preventing further updates to the system? - Would the update ignore the update to a changed system component? - Would the update overwrite our changes? On Fri, Feb 17, 2012 at 12:09 PM, Shawn Geddis <geddis@me.com> wrote:
On Feb 17, 2012, at 11:52 AM, Thomas Harning Jr. wrote:
I see that 10.7 has CDSA and SmartCardServices deprecated, meaning it is out the door for 10.8.
How would one build TokenD implementations since CDSA is an integral dependency (TokenD directly exposes/consumes CSSM* types)?
Is there a new pluggable-crypto system in the works? If so, hopefully it can support software-driven interfaces (ex: those that aren't PC/SC, perhaps direct USB tokens or network-based devices)...
Thomas,
Deprecation of CDSA is what prompted the removal of the Tokend modules from OS X Lion. If you restore them on an OS X Lion system, you will have capabilities restored. The Tokend modules have been based on CDSA in OS X 10.4, 10.5, 10.6 and still can in 10.7. Deprecation of CDSA means that it is no longer THE Crypto/PKI architecture to rely on and that it will be gone in some future version of the OS - not exactly a guarantee it will be gone, but you can’t count on it being there in a future release once it has been publicly announced as deprecated.
Apple has not made any announcements with respect to future frameworks to provide the same or similar functionality. I can say that it is extremely high on the customer request list for Token/SmartCard support on iOS & OSX. Since CDSA is deprecated and was never going to make it to iOS (size/age/functionality working against it), Apple was always faced with looking at something new.
As for the "software-driven interfaces”, Tokend has been used quite a bit with USB Tokens and Network HSMs. The system-wide support for abstracting Identities (of various types) for iOS / OSX is quite important.
Stay tuned to this space for future information.
-Shawn __________________________________________________ Shawn Geddis geddis@me.com Security Consulting Engineer geddis@apple.com
MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
-- Thomas Harning Jr. (http://about.me/harningt)
Thomas, I don't have the answers to your questions, exactly.. What I do know is that despite the fork involved with SmartCardServices, the pcsc-lite project still builds on OSX, out-of-the-box (given macports and proper command-line tools), and it could therefore quite easily be packaged by "a third party" that would require an up-to-date pcscd/ccid combo. We've been investigating doing exactly that and so your scenario may be quite imminent. We're wondering about the future, also. I don't really see how we can continue to support the OSX platform, or begin supporting iOS, without at least some information from the manufacturer. Frankly, if it were a matter of personal choice, I would have dropped the entire platform 2 years ago. With that kind of attitude.. WKR, -f
If a third party were to upgrade pcscd or the ccid driver to resolve problems with what is installed at the system level, what sort of issues would we encounter if Apple were to push an update these components (or is it planned to never update these)? - Would the apple update fail completely preventing further updates to the system? - Would the update ignore the update to a changed system component? - Would the update overwrite our changes?
On Fri, Feb 17, 2012 at 12:09 PM, Shawn Geddis <geddis@me.com <mailto:geddis@me.com>> wrote:
On Feb 17, 2012, at 11:52 AM, Thomas Harning Jr. wrote: > I see that 10.7 has CDSA and SmartCardServices deprecated, meaning it > is out the door for 10.8. > > How would one build TokenD implementations since CDSA is an integral > dependency (TokenD directly exposes/consumes CSSM* types)? > > Is there a new pluggable-crypto system in the works? If so, hopefully > it can support software-driven interfaces (ex: those that aren't > PC/SC, perhaps direct USB tokens or network-based devices)...
Thomas,
Deprecation of CDSA is what prompted the removal of the Tokend modules from OS X Lion. If you restore them on an OS X Lion system, you will have capabilities restored. The Tokend modules have been based on CDSA in OS X 10.4, 10.5, 10.6 and still can in 10.7. Deprecation of CDSA means that it is no longer THE Crypto/PKI architecture to rely on and that it will be gone in some future version of the OS - not exactly a guarantee it will be gone, but you can’t count on it being there in a future release once it has been publicly announced as deprecated.
Apple has not made any announcements with respect to future frameworks to provide the same or similar functionality. I can say that it is extremely high on the customer request list for Token/SmartCard support on iOS & OSX. Since CDSA is deprecated and was never going to make it to iOS (size/age/functionality working against it), Apple was always faced with looking at something new.
As for the "software-driven interfaces”, Tokend has been used quite a bit with USB Tokens and Network HSMs. The system-wide support for abstracting Identities (of various types) for iOS / OSX is quite important.
Stay tuned to this space for future information.
-Shawn __________________________________________________ Shawn Geddis geddis@me.com <mailto:geddis@me.com> Security Consulting Engineer geddis@apple.com <mailto:geddis@apple.com>
MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
-- Thomas Harning Jr. (http://about.me/harningt)
_______________________________________________ SmartcardServices-Dev mailing list SmartcardServices-Dev@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/smartcardservices-dev
Hello, 2013/8/13 Frank Marien <frank@apsu.be>:
Thomas,
I don't have the answers to your questions, exactly.. What I do know is that despite the fork involved with SmartCardServices, the pcsc-lite project still builds on OSX, out-of-the-box (given macports and proper command-line tools), and it could therefore quite easily be packaged by "a third party" that would require an up-to-date pcscd/ccid combo. We've been investigating doing exactly that and so your scenario may be quite imminent.
As the maintainer of the "official" pcsc-lite I try to make it buildable and usable on Mac OS X. First because I need a modern pcsc-lite to develop the CCID driver. Second because I still expect a convergence of the two pcsc-lite (official and Apple fork) one day. But that is a lot of work.
We're wondering about the future, also. I don't really see how we can continue to support the OSX platform, or begin supporting iOS, without at least some information from the manufacturer.
I have no information regarding the CDSA substitute. But I guess/hope Apple will not drop pcsc-lite and the smart card infrastructure. Bye -- Dr. Ludovic Rousseau
If there were a MacPorts package that also provided updated versions of all the pieces from opensc-project + smartcard sniffer + pam_krb5, I would be very interested. It adds up to a lot of surgery on MacOS, so however doable it may be, it seems like too much for anyone outside of Apple. On Aug 13, 2013, at 12:06 PM, Frank Marien <frank@apsu.be> wrote:
I don't have the answers to your questions, exactly.. What I do know is that despite the fork involved with SmartCardServices, the pcsc-lite project still builds on OSX, out-of-the-box (given macports and proper command-line tools), and it could therefore quite easily be packaged by "a third party" that would require an up-to-date pcscd/ccid combo. We've been investigating doing exactly that and so your scenario may be quite imminent.
------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
On 08/13/13 22:34, Henry B. Hotz wrote:
If there were a MacPorts package that also provided updated versions of all the pieces from opensc-project + smartcard sniffer + pam_krb5, I would be very interested. This, I don't know. What I wanted to find out was how hard it would be to build a functional pcsclite daemon/client libs and CCID libs from source on OSX, today.
The conclusion was: with just a few tools considered basic on e.g. GNU/Linux and one lib from macports: very easy indeed. I basically recall that I needed automake/autoconf (probably ok from the XCode command-line tools, not sure, I had a bunch of ports already installed), and libusb..So that's easy.. I suspected as much but since Ludovic has just confirmed this in a previous post here: pcsc-lite was kept up-to-date in terms of OSX as well as the other platforms, for internal reasons, but nevertheless: that work is already done.
It adds up to a lot of surgery on MacOS, so however doable it may be, it seems like too much for anyone outside of Apple.
I agree that while it seems technically very doable, it is Apple's job to either make good use of all that work, or to make a statement about what their plans are instead. -f
On Aug 13, 2013, at 12:06 PM, Frank Marien <frank@apsu.be> wrote:
I don't have the answers to your questions, exactly.. What I do know is that despite the fork involved with SmartCardServices, the pcsc-lite project still builds on OSX, out-of-the-box (given macports and proper command-line tools), and it could therefore quite easily be packaged by "a third party" that would require an up-to-date pcscd/ccid combo. We've been investigating doing exactly that and so your scenario may be quite imminent.
The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
2013/8/13 Frank Marien <frank@apsu.be>:
On 08/13/13 22:34, Henry B. Hotz wrote:
If there were a MacPorts package that also provided updated versions of all the pieces from opensc-project + smartcard sniffer + pam_krb5, I would be very interested. This, I don't know. What I wanted to find out was how hard it would be to build a functional pcsclite daemon/client libs and CCID libs from source on OSX, today.
The conclusion was: with just a few tools considered basic on e.g. GNU/Linux and one lib from macports: very easy indeed.
I basically recall that I needed automake/autoconf (probably ok from the XCode command-line tools, not sure, I had a bunch of ports already installed), and libusb..So that's easy..
I suspected as much but since Ludovic has just confirmed this in a previous post here: pcsc-lite was kept up-to-date in terms of OSX as well as the other platforms, for internal reasons, but nevertheless: that work is already done.
The pcsc-lite I maintain is far from the pcsc-lite Apple forked some years ago. They are not equivalent. The "official" pcsc-lite do not support securityd, do not support both 32 and 64-bits drivers, do not support Roseta, etc. I do NOT recommand (or even suggest) to use the official pcsc-lite on Mac OS X. As I wrote in my previous email a lot of work is needed to merge the 2 versions. Bye -- Dr. Ludovic Rousseau
On 08/14/13 20:02, Ludovic Rousseau wrote:
2013/8/13 Frank Marien <frank@apsu.be>:
On 08/13/13 22:34, Henry B. Hotz wrote:
If there were a MacPorts package that also provided updated versions of all the pieces from opensc-project + smartcard sniffer + pam_krb5, I would be very interested. This, I don't know. What I wanted to find out was how hard it would be to build a functional pcsclite daemon/client libs and CCID libs from source on OSX, today.
The conclusion was: with just a few tools considered basic on e.g. GNU/Linux and one lib from macports: very easy indeed.
I basically recall that I needed automake/autoconf (probably ok from the XCode command-line tools, not sure, I had a bunch of ports already installed), and libusb..So that's easy..
I suspected as much but since Ludovic has just confirmed this in a previous post here: pcsc-lite was kept up-to-date in terms of OSX as well as the other platforms, for internal reasons, but nevertheless: that work is already done. The pcsc-lite I maintain is far from the pcsc-lite Apple forked some years ago. They are not equivalent.
The "official" pcsc-lite do not support securityd, do not support both 32 and 64-bits drivers, do not support Roseta, etc. I do NOT recommand (or even suggest) to use the official pcsc-lite on Mac OS X.
As I wrote in my previous email a lot of work is needed to merge the 2 versions. Sure, they are not equivalent: consider me duly warned, but as far as I'm concerned, these days, if I have pcscd running with just the CCID driver, and just on 64-bit systems I consider that "fully functional" as far as OSX is concerned. If Apple doesn't make a statement or take action, I think that this is more than enough work on our sides to keep supporting their platform, creating working solutions on recent installations with standards-compliant readers, even without the niceties, compliance to their standards, backwards-compatiblity, etc..
I can't tell my customer's service desk to tell the user that it's tough luck that their new card reader isn't even recognized but we do support older systems, older card readers, and we're fully compliant with whatever Apple came up with (or abandoned) this week.. -f
Bye
+1 I suppose these comments belong on Fed-Talk, but we (as a NASA contractor) need to move forward with supporting smart card login and PKINIT. I'm concerned that Apple's support appears to be lagging our needs. It seems like a capability that ought to be part of the OS, especially since it *was* part of the OS in 10.6. I'm reluctant to recommend a 3rd party, however capable they are (and there are at least two that I would trust to know what they are doing). It just makes support harder, the more parties we need to integrate. On Aug 13, 2013, at 10:31 AM, Thomas Harning Jr. <harningt@gmail.com> wrote:
Has Apple worked out the next generation USB Token / Network HSM system support yet? From what I'm seeing, all the interfaces I am developing against for Symantec are deprecated - which is an unpleasant situation to be in, since technically the interface can be swiped out from under us.
------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
participants (4)
-
Frank Marien
-
Henry B. Hotz
-
Ludovic Rousseau
-
Thomas Harning Jr.