On Oct 30, 2015, at 14:57 , Henry B (Hank) Hotz, CISSP <hbhotz@oxy.edu> wrote:
On Oct 30, 2015, at 9:05 AM, Disiena, Ridley (MSFC-IS60)[EAST] <ridley.disiena@nasa.gov> wrote:
Since the Yubikey PIV applet has not been validated by NIST and no testing artifacts are available, I would not assume the applet is compliant.
Since restarting Mail (without restarting anything in the card/keychain system) is a workaround, I think it’s reasonable to think the problem is in Mail, or in Mail’s use of keychain.
Or in the Keychain API (whatever it is) itself - perhaps it enforces PIN-authentication for a “new” app, but “forgets” to do that for subsequent requests from the same app; so restarting Mail makes it a “new” app again, forces authentication again, etc.
However if there is some suspicion Yubikey support is an issue, then we should be reporting the PIV applet number on the Yubikey. There are several “in the wild”. I feel sure Yubikey will be responsive to bug reports with sufficient detail.
I’m aware of two: PIV applet 0.1.2 and 0.1.3. I’m having these issues with 0.1.3 - have not tried Mail with 0.1.2.
Also I think 10.10 was when Apple began “officially” supporting Yubikey/PIV.
??? But I use 10.10.5 anyway. -- Uri Blumenthal uri@mit.edu