Did you finally update CACNG to manage the full list of active CAC/PIV I and II cards?  Last time I checked, I still couldn't get it to handle at least one cardstock in active issuance.

 

Also, how does CACNG resolve the PIN-Always rule conflict on the Digital Signature key? 

 

For those who care:

 

The PIV data model applies a PIN-Always ACL on the (optional) digital signature key; PIN-Once is used for the PIV authentication key, and the PIV middleware specification requires collecting the PIN from the user for every action using a key with a PIN-Always ACL.  This means that when using the DoD-Signature certificate for, e.g., website authN, a PIV-compliant middleware (like PIV.tokend) will ask for the PIN for every private key operation--a real nuisance, I assure you.  :) 

 

The CAC data model and DoD Middleware Specification have no such rule, which meant it was effectively PIN-Once.  Much more usable.

 

This is a clear problem for middleware that claims compliance with PIV and CAC specifications.  You can't do both at the same time.  :)

 

I believe NIST is considering more explicit guidance re: middleware and PIN-Always; e.g., allowing an acknowledgement vs. PIN collection, but AFAIK this hasn't made it into the SPs yet.

 

-- T

 

From: Shawn Geddis [geddis@icloud.com]
Sent: Thursday, January 16, 2014 17:22
To: Miller, Timothy J.
Cc: Mr. Ed Rogers; SmartCard Services-Users
Subject: Re: [SmartcardServices-Users] use multiple tokend

On Nov 25, 2013, at 8:52 AM, Miller, Timothy J. <tmiller@mitre.org> wrote:

CACs *are* PIVs (the have a PIV interface); PIV.tokend can drive both.  The DoD Identity certificate is not available through the PIV interface, so if you need that certificate you'll have a problem with applications that need it (e.g., for MyPay/MyBenefits).

There is thrid party software that will manage both on OS X, but it's not appropriate to stump for a vendor here, so I'll leave you to your Googling.  :)

-- T

________________________________________
From: smartcardservices-users-bounces@lists.macosforge.org [smartcardservices-users-bounces@lists.macosforge.org] on behalf of Rogers, Ed [ed.rogers@lmco.com]
Sent: Wednesday, November 20, 2013 07:24
To: smartcardservices-users@lists.macosforge.org
Subject: [SmartcardServices-Users] use multiple tokend

I need to use both a CAC and a company issued smart card (PIV).  I’m using OS 10.9 and find that if I have both the CAC.tokend and the PIV.tokend installed, that only the first card used is supported and the next is not recognized.  I end up having to remove one of the tokend for the other to work.  Is there a tokend that supports both CAC and PIV or some way to allow both to be used such that the correct tokend is selected based on the card inserted?

R/ Ed Rogers
SWFTS SE&I Technical Director
LM Manassas
(703) 367-1620

Tim,

After sending a response to Ed just now on his message, I saw and realized that you had provided a response on Nov 25, unfortunately, with respect to Smart Card Services on OS X your information is not correct.

With respect to the OS X Tokend modules (originally included in OS X and now provided via the SmarCardServices Project):
 
CAC - Original Common Access Cards with a single CAC Applet
CACNG - CACNG Cards with both CACv2 and PIV Applets (some refer to this as Dual-Persona)
PIV - Cards with only the PIV Applet

Each one of these Card Profiles are supported by the corresponding Tokend modules provided:
CAC.tokend, CACNG.tokend, and PIV.tokend

Cards recognized on OS X as having the CACNG profile will have objects from both Applets appear and be usable from one single Dynamic Keychain.  Its default Keychain Name will begin with “CACNG-…..”

You can use and select ANY of the certificates from either the CACv2 or the PIV side of the CACNG Card at all times on OS X.  If you or anyone who has an issued CACNG is having troubles with this, I would love to get more information on the actual/perceived failures.


- Shawn
_____________________________________________________________________
Shawn Geddis            geddis@{Mac | Me | iCloud}.com
Enterprise Security Consulting Engineer, Apple     geddis@apple.com

Smart Card Services  Project/Dev Lead:                                                                                 
Project Wiki:           [SmartCardServices.MacOSFforge.Org]
Mailing Lists:          [Lists.MacOSForge.Org/mailman/listinfo]
SCS Contact:            [scs-cotact@macosforge.org]
SCS Admin:            [scs-admin@macosforge.org]
_____________________________________________________________________