On 07/21/2010 03:09 PM, Shawn A. Geddis wrote:
On Jul 21, 2010, at 2:54 PM, Bram Cymet wrote:
Hi,
I hope this is the right list to send this to and if it is not please let me know where the right place would be.
I have successfully got PIV cards working for login and screensaver access under Snow Leopard. The problem I am having is that it seems to ignore the fact that Keychain Access sees the certs on the cards as being revoked.
Is it possible with the current Tokend/Smartcardservices to make it so that if a cert has been revoked that a person using that card is no longer able to log into the system? Or will I have to make some modifications to get this functionality working?
Thanks,
-- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. Cell: 613-608-9752
Bram,
This list is specifically for Tokend Development and your question is a User Question in the use of Smart Cards on a Mac OS X System. I will cc the User's list in my response, but keep in mind that this particular list is for those "developing" a Tokend.
You will need to explain which method you are using for Client Authentication: • PubKeyHash - Does not require that the Certificate itself has not been revoked • Attribute Matching - Leveraging attribute(s) from the cert on the card to determine which DS Account to Authenticate against • PKINIT (SSO to DS) - Validates the cert / cert chain locally as well as authenticates to Kerberos KDC with that Certificate.
Which method are you using ?
-Shawn __________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer geddis@apple.com
MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
Hi Shawn, Thanks for the response. I am using PubKeyHash at the moment. Which based on what you have written above I guess it is working the way it should be. So is PKINIT or Attribute Matching or either the Client Authentication method I should be using? Or can I make it work with PubKeyHash as well? Thanks, -- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. Cell: 613-608-9752