On Feb 23, 2011, at 2:42 PM, Will Coleman wrote:
I do have one quick follow-up question, How does the card ³tack² on the additional digits to the ID without the middleware present?
It doesn't.
For example, we have a query tool that I use to look at the card and there is NO place that I can see those additional digits that are presented when I plug in the card to windows 7 (178004) in addition to the NT Principal Name which = 2001306561 + 178004 (something like that). When I have actividentity installed what I see is just the NT name (2001306561@mil) underneath the name of the card holder. When I uninstall the actividentity software I see the longer ID and NO additional ID to login with (which is good, since that is the default value).
You're looking at completely different certificates. The PIV minidriver shows you the PIV cert with the extended UPN syntax. ActivClient (by default) show you the DoD Email Signature cert with the shorter EDIPI-only UPN syntax. (FWIW, they actually use different smartcard interfaces; the PIV driver uses NIST SP800-73 and ActivClient uses GSC-IS 2.1. AC can use SP800-73 *as well* but it's not on by default in the CAC version.)
Is there a way to query the PIV cert directly on the mac? I¹m sure that value is there somewhere.
To see the PIV cert on the Mac you need PIV.tokend to take ownership of the card. Currently the CAC.tokend (or CACNG.tokend, if installed) wins because securityd prefers it. You can move the CAC.tokend package *out* of /Security/Library/Security/tokend and re-insert the card to drive it as a PIV. -- Tim