[SmartcardServices-Users] Custom Smart Card Source

Bob Colbert colbert at detk.net
Mon Jul 26 18:26:13 PDT 2010 

Shawn,
I admit that I don't fully understand the intricacies of how the Smart Cards work with each OS.  The part that i don't understand is what tool would i use to generate keys on the Smart Card if i only had access to Snow Leopard?

When i first obtained my Hardware Assurance token from my ECA vendor, it was a USB token from ActivIdentity that was initially setup using ActivClient 6.1. They also offer a Smart Card from Oberthur that i would also assume would use ActivClient to create the card profile, create the PIN, generate the keys, and then finally put the certificates on the card.  Earlier posts on this list indicate that the SmartCard from Oberthur works in Snow Leopard, whereas I noted a few weeks back (and you confirmed), that the ActivIdentity USB token profile is not properly read; I can unlock the card though.

Does Snow Leopard, as shipped, have that capability to create/initialize the Smart Card/USB token?  If yes, can you steer me towards some documentation or if not, how would you do it?

Sorry for being dense with this.

Bob Colbert


On Jul 26, 2010, at 5:43 PM, "Shawn A. Geddis" <geddis at mac.com<mailto:geddis at mac.com>> wrote:

On Jul 26, 2010, at 11:28 AM, Bob Colbert wrote:
Does anyone know of a company that can provide custom printed Smart Cards for company PhotoIDs.  In addition, I would hope that the provided Smart Card would be compatible with the current state of SmartCard support and with a working tokend for Snow Leopard.  I understand that part of it is choosing an already supported reader.  Apparently, I have discovered with my current ActivIdentity USB token that the reader portion of the token is supported, however the card profile needs to be updated to properly read the certificates from the USB token.

The Smart Card should have the capability for supporting the External Certification Authority type certificates - http://iase.disa.mil/pki/eca/  .  Another capability would be that the Smart Card is compatible with ActivClient for Windows for key generation and/or certificate import.  Unless there is another way under Snow Leopard to generate key requests on the card or otherwise import software certificates onto them?

Thanks,
Bob Colbert

Bob,

I think has already given you excellent guidance and feedback, but I wanted to note a few things in your message for the benefit of all.

I would hope that the provided Smart Card would be compatible with the current state of SmartCard support and with a working tokend for Snow Leopard.

That is not very specific.  Are you asking for specific profile support with support in the shipping version of the OS or from various sources ?  Many Smart Card vendors have a Tokend for 10.6 and will of course make it available when needed.

 I understand that part of it is choosing an already supported reader.

Yes, but there are nearly 130 readers supported with the CCID Class Driver in Mac OS X 10.6 and with an update to the CCID Driver, many more to come.  As you noted, the reader is part of the equation and the profile on the card (typically implemented as a Java Applet) is the other major component.


The Smart Card should have the capability for supporting the External Certification Authority type certificates - http://iase.disa.mil/pki/eca/

The X.509 Identities are not the issue as we know, it is access / support for the profile / applet.

Another capability would be that the Smart Card is compatible with ActivClient for Windows for key generation and/or certificate import.

You are making reference to wanting the cards to be compatible with your ActivClient for Windows which means that you are issuing cards from ActvIdentity.  You should simply talk to you rep and learn what profile is loaded on the cards you are using on windows.  What you are referencing is really a Card Management system which can provision and manage the cards. You would just follow with acquiring a Tokend from ActivIdentity if that is what you wanted.

My personal suggestion is that you consider a PIV compliant card issuance, since both Apple (Mac OS X) and Microsoft (Windows 7) have built-in support for PIV.  There are a couple variances of PIV, but going down this path ensures that you have something standards-based supported on both platforms.  Just  a suggestion and not a requirement.


-Shawn
__________________________________________________
Shawn Geddis       <mailto:geddis at mac.com> geddis at mac.com<mailto:geddis at mac.com>
Security Consulting Engineer    <mailto:geddis at apple.com> geddis at apple.com<mailto:geddis at apple.com>

MacOSForge Project Lead:                           Smart Card Services
Web: <http://smartcardservices.macosforge.org/> http://smartcardservices.macosforge.org/
Lists: <http://lists.macosforge.org/mailman/listinfo> http://lists.macosforge.org/mailman/listinfo
__________________________________________________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100726/7a26f12a/attachment.html>

More information about the SmartcardServices-Users mailing list