On Apr 30, 2013, at 9:29 AM, "Disiena, Ridley (GRC-VG00)[DB Consulting Group, Inc.]" <ridley.disiena@nasa.gov> wrote:

Does the OS X Forge provided PIV.tokend support the on-card key history specifications in NIST SP 800-73-3 Part 1? And if so, can OS X Applications [via the PIV Keychain] make use of the Key History -> Retired X.509 Certificate for Key objects

Link to info http://csrc.nist.gov/publications/nistpubs/800-73-3/sp800-73-3_PART1_piv-car...

Ridley, Short Answer: No. You may want to check with the commercial Tokend providers. More detailed Answer: The current PIV.Tokend hosted by the SmartCardServices lacks the explicit support for the Key History component of SP 800-73-3. In fact, the PIV.Tokend lacks significant compliance to SP 800-73-3 at this time. That is on the Project's plate, but currently does not fully comply with the spec. An interesting byproduct of The Keychain Architecture is that Certificates and their corresponding private keys DO NOT need to be in the same "Logical Keychain". This means that a Cert stored in a file-based Keychain could be used with its corresponding Private Key in a Hardware-based Keychain (Smart Card) and even appear in the "My Certificates" list in Keychain Access. That said, if the Private Keys are exposed as objects via the Tokend to Keychain Services, you would have support for Key History without the need to go and fetch the corresponding Certificate if they are not stored on the card. Support for Key History would require work that is currently not available from the SmartCardServices Project. - Shawn ______________________________________________________ Shawn Geddis geddis@me.com Enterprise Security Consulting Engineer, Apple geddis@apple.com MacOSForge: Smart Card Services Project Lead: Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo ______________________________________________________