[SmartcardServices-Users] Issue with CAC on Snow Leopard

Charles Victory cvictory at y-linkconsulting.com
Tue Nov 23 09:03:37 PST 2010 

Paul,

Thank you very much for the prompt reply. I have looked at the certificates
again and I can see several extensions marked as critical. At least I won't
waste any more time pulling my hair out in frustration over this issue.

Do you have any idea of how I can track this issue and when it might be
resolved??

Thanks,

Charlie

From:  Paul Nelson <nelson at thursby.com>
Date:  Tue, 23 Nov 2010 10:27:39 -0600
To:  Charles Victory <cvictory at y-linkconsulting.com>
Cc:  <smartcardservices-users at lists.macosforge.org>
Subject:  Re: [SmartcardServices-Users] Issue with CAC on Snow Leopard


On Nov 23, 2010, at 9:15 AM, Charles Victory wrote:

> Hello,
> 
> I have a SCR3310 device and am using a GEMALTO ACCESS 64KV2 CAC. I have
> downloaded and installed CAC-NG (BETA v0.95)/Snow Leopard from
> http://smartcardservices.macosforge.org/trac/wiki/installersŒ. I can now see
> my CAC certificates on the CAC Keychain where I could not before this step.
> That is great, however the 4 certificates I have are all showing that they
> have invalid issuers. When I show the certificate after evaluating it, it
> shows that the DoD Interoperability Root Ca 1 and DoD Root Ca 2 cannot be used
> due to unrecognized critical extensions. This shows up when I go to use
> Outlook 2011 for Mac and it will not allow me to digitally sign or encrypt my
> e-mail. I don¹t think it is a CAC issue because when I use the CAC on my old
> XP PC using Outlook 2003, I am able to digitally sign and encrypt my e-mail
> there. 
> 
> Can someone provide some insight as to what my issue may be??
This is most likely due to a certificate extension being flagged as
Critical, but not being understood by the Apple Security framework.  It
could be that your certificates have a name constraints extension flagged as
critical.
I don't think Apple recognizes the name constraints, and must report that
the certificate is invalid due to the critical flag.

I have reported the name constraints problem as bug with the title "Apple
PKI trust policy does not handle name constraints (RFC RFC5280)"

Here is the bug report text:

> This problem presents a denial of service security issue.
> 
> Implementations of RFC RFC5280 "Internet X.509 Public Key Infrastructure
>        Certificate and Certificate Revocation List (CRL) Profile" must support
> name constraints per section 4.2
> 
> This section states:
> 
> "At a minimum, applications conforming to this profile MUST recognize the
> following extensions: key usage (Section 4.2.1.3), certificate policies
> (Section 4.2.1.4), subject alternative name (Section 4.2.1.6), basic
> constraints (Section 4.2.1.9), name constraints (Section 4.2.1.10), policy
> constraints (Section 4.2.1.11), extended key usage (Section 4.2.1.12), and
> inhibit anyPolicy (Section 4.2.1.14)."
> 
> Read more: http://www.faqs.org/rfcs/rfc5280.html#ixzz0dMPhg7t9
> 
> Most new CA certificates issued by the U.S. Federal Government contain name
> constraints. 
> 
> For example NASA PIV cards include such certificates.  The Macintosh cannot
> validate such certificate chains because the name constraint is marked as
> critical.
> 
> Refer to http://www.idmanagement.gov/fpkia



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20101123/f0fcf567/attachment.html>

More information about the SmartcardServices-Users mailing list