[SmartcardServices-Users] [Fed-Talk] DoD ECA Certificates - Hardware vs Software with the Mac

Shawn A. Geddis geddis at apple.com
Mon May 10 07:33:32 PDT 2010


Bob,

to add clarity to other comments made already..


All Smart Card questions, comments, feedback go to http://SmartCardServices.MacOSFOrge.Org/  mailing lists...

On May 10, 2010, at 9:38 AM, Bob Colbert wrote:
...
> Particulary, I am trying to understand the ECA certificate program for DoD contractors.  I currently have a “software” certificate.

All applications on Mac OS X interface to credential stores as "Keychains" (except legacy apps using PKCS#11).  A Smart Card is simply a "Dynamic Keychain" - available only while the Smart Card is inserted.  


>  I was looking to convert it to either USB or SmartCard.  

You would not exactly convert the Identity (Certificate / Private Key), but change the storage medium from File-based Keychain to a Hardware Token-based Keychain (Smart Card).  It would be a "smart card" whether it was a plastic card or USB form factor -- Smart Card simply refers to the chip-based technology (referred to as "CHIP and PIN" in Europe). 

> The ECA program defines this as Medium Hardware Assurance or Token Hardware Assurance.  The Medium one is supposedly the ECA equivalent of a CAC card, however I havent had any problems thus far just using my software certificates.  But I really don’t fully understand the technical/everyday usage difference between Medium Hardware vs Token Hardware levels.

Tim properly noted that the issue for you is not the device (smart card), but rather what profile (applet) is loaded onto the device.  PIV & CAC are already there in Mac OS X (have been for years) and CACNG is currently in beta via MacOSForge.

If you want the easiest path forward, your organization would pick a PIV-compliant smart card and hence would have out of the box support on both Mac OS X and Windows 7.


> While contacting one of the 3 vendors approved for ECA certificate issuance, it was brought up that there is a “middleware” client required for use with either a USB-based or SmartCard device for either Medium Hardware or Token Hardware levels.  I believe the client is ActivClient.  I am not sure if this middleware is required for all 3 vendors or just this one and is the middleware client the same for all three vendors.

"Middleware" is not required on Mac OS X for Smart Cards - it is built into the OS, however, your system needs a corresponding "Tokend" for each Smart Card "type".  Apple provides CAC tokend / PIV tokend(among others) and many of the Smart Card vendors make a tokend available for their proprietary cards when needed by their customers.  Again, this is specific to the card profile (applet) loaded onto the device.


> My basic questions about the middleware are the following:
> Is this middleware still required using Mac 10.6.3?  Previous posts by Shawn Geddis from Apple seem to apply that everything is provided for within the Mac OS.

see comments above.

> The ECA vendor seemed to imply that the current version of ActivClient is not ready for Snow Leopard.

I do not believe you will see a SL version of ActivClient

> Does this middleware impact the logon process or just when I want to sign/encrypt emails? My understanding of its usage is that it is a holder of the 2 certificates that I currently have in a software-version. That I just have to inserted/authenticated during the creation/sending/reading of the emails.  We have a mixed Mac/PC environment and I am not fully ready to implement that type of signon environment currently required with government CAC usage.  I just want to use the certs for email encryption.
As Time noted, what you want to use your Smart Card for is up to you.

> Does this middleware interface properly with either Mac Mail or Microsoft Entourage or again, is this middleware redundant?

Mail.app and Entourage properly interface via Keychains and hence any valid credentials available to your system -- File-based, Smart Card-based, Director Server-based, etc.


Again, All Smart Card questions, comments, feedback go to http://SmartCardServices.MacOSFOrge.Org/  mailing lists...

- Shawn
_____________________________________________________
Shawn Geddis  -  Security Consulting Engineer  -  Apple Enterprise




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100510/271432a9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3864 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100510/271432a9/attachment.bin>


More information about the SmartcardServices-Users mailing list