[SmartcardServices-Users] [Fed-Talk] CAC Reader and AKO on Older MacBookPro

Shawn A. Geddis geddis at apple.com
Mon Jul 26 05:19:22 PDT 2010 

Paul,

Ahh, I understand the confusion.  When you were prompted for a "Password" and you entered the "PIN" it was not saved in your file-based keychain, but rather the system "unlocked" your Smart Card ( a Smart Card IS a Keychain).  

Some dialogs still refer to "password" while displaying the name of the Keychain (your Smart Card Name), but the "PIN" you entered is never stored in a file-based Keychain.  The PIN is used as part of the Challenge-Response with the card which is frequently referred to as "unlocking" your card.

While your card remains in the reader after entering the PIN, the PIN is cached by the security server to prevent your needing to re-enter it for every single transaction involving the private key(s).  If you pull the card, log out or shut the system down, the cached PIN is thrown away and you would then need to enter the PIN again next time you need to access the private key(s). This is also true if you switch between Mac OS X and a virtualized environment using the Smart Card.

- Shawn
_____________________________________________________
Shawn Geddis  -  Security Consulting Engineer  -  Apple Enterprise

On Jul 26, 2010, at 7:35 AM, Villano, Paul Mr CIV USA TRADOC wrote:
> The "password" that was saved was the PIN for the CAC.  It did go through the CAC and worked.
> 
> ----- Original Message -----
> From: "Shawn A. Geddis" <geddis at apple.com>
> Date: Wednesday, July 21, 2010 16:37
> Subject: Re: [Fed-Talk] CAC Reader and AKO on Older MacBookPro
> To: "Villano, Paul Mr CIV USA TRADOC" <paul.villano at us.army.mil>
> Cc: fed-talk at lists.apple.com
> 
> 
>> On Jul 20, 2010, at 8:48 AM, Villano, Paul Mr CIV USA TRADOC wrote:
>>> So I finally got around to testing from home the CAC reader I 
>> got from the suggestions from folks on this list.  I was prepared 
>> for a longish session of downloading certificates and what not.  
>> Instead I said, what the hey, why not just try it?  So I just 
>> stuck the card in, clicked the CAC/Low bandwidth button on AKO, 
>> added the p/w to my keychain, and...well...It just worked! :o)  
>>> 
>>> Anything I'm missing?  Am I supposed to download something else? 
>> Even though I'm typing this it's hard to  believe it worked 
>> within about 10 seconds.
>> 
>> 
>> Paul,
>> 
>> If you added ANY password to you keychain it would mean that a 
>> Smart Card was not in use, since there would be nothing to store 
>> inside of a keychain -->  A Smart Card IS a Keychain.
>> 
>> You shouldn't experience any issues in using the CAC, but wanted 
>> to point out that your ref to saving a p/w in your keychains 
>> indicates you were not using your CAC.
>> 
>> Keep in mind that all Smart Card related User questions, comments, 
>> issues should all go to the SmartCardServices lists....
>> 
>> http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-
>> users
>> - Shawn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3864 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100726/45d40d51/attachment.bin>

More information about the SmartcardServices-Users mailing list