[SmartcardServices-Users] [Fed-Talk] Updated smartcard installer?

Shawn Geddis geddis at apple.com
Fri Sep 28 13:10:04 PDT 2012 

Ridley,

Responses to questions / statements in your messages...

> Interesting that they are still suggesting attribute matchine, is that not worse than using a password?

Apparently there is a misunderstanding.  I believe (correct me if I am wrong) in your question above you are referring to the inclusion of a default "cacloginconfig.plist" for those who want/need to use it.  Note the end of the sentence when we describe what the file is...

> • cacloginconfig.plist - Default configuration file as optional install for those using Attribute Matching or PKINIT configurations.


For those that may not be aware, built-in OS X PKINIT-based Smart Card Login *also* relies on the existence and mapping defined in the cacloginconfig.plist file.  This allows an organization to use a typical "NT Principal Name" (in cert) ==>  "userPrincipalName" in the DS or provide them the flexibility to alter that attribute mapping.  It does NOT suggest or promote the use of the "Attribute Matching" method for associating a card to an DS account (Non-PKINIT).  

> One thing I’ve noticed is that the PKCS#11 shim is gone in Mountain Lion.  Even after this new installer.


The "PKCS#11 shim" (/usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so), as are the Tokend modules, is based on the deprecated CDSA.  The Source Code for this module has been posted on the SmartCardServices project @ MacOSForge for 3 years now [1].  It has been in the Projects Trunk for almost two years [2].  You are correct that aside from the source code, a binary has not been included to date with the SCS Releases at Mac OS Forge.  That doesn't mean it won't happen, just that it has not happened to date.

> At NASA we had been told Apple and OS X Forge stopped this effort and have heard nothing since;

I personally notified the community about the deprecation of CDSA in OS X Lion and that the Tokend modules would no longer ship in OS X starting with OS X Lion, but who said that "Mac OS Forge" (not "OS X Forge") had stopped any effort on this ?  I know of no such statement being made by anyone from the Project.

I will openly admit that It is currently not a hot item undergoing further development at this time, but anyone desiring to contribute to or work on the TokendPKCS11 Shim is more than happy to do so via the Ticketing System .

> so the new installers mentioning the PKINIT implementation is a surprise to us.

This is nothing new since Mac OS X Snow Leopard v10.6!  It still exists and was provided for ongoing support for users around the world.  There are people in many other countries that use Smart Card Services in OS X.  It is not limited to the US Federal space.


[1] http://smartcardservices.macosforge.org/trac/browser/branches/tokend/pk11-0009/TokendPKCS11
[2] http://smartcardservices.macosforge.org/trac/browser/trunk/TokendPKCS11

- Shawn
__________________________________________________
Shawn Geddis				  			   geddis at me.com
Security Consulting Engineer                              geddis at apple.com

MacOSForge Project Lead:                           Smart Card Services                                                      
	Web:	http://smartcardservices.macosforge.org/
	Lists:	http://lists.macosforge.org/mailman/listinfo
__________________________________________________

On Sep 28, 2012, at 9:30 AM, "Disiena, Ridley J. (GRC-VO00)[DB Consulting Group, Inc.]" <ridley.disiena at nasa.gov> wrote:
> I meant, I had not seen this announce yet, at all.  And yes I am aware we are told all things smartcard are supposed to be on another list, but I had not seen it announced anywhere and to be honest, I feel it is very relevant on this list since we have Federal mandates like M-11-11.  It is the main reason I’m on this list.
>  
> One thing I’ve noticed is that the PKCS#11 shim is gone in Mountain Lion.  Even after this new installer.
>  
> Also, if anyone in the Federal Government is working with a PKINIT implementation based on native support, please contact me.  At NASA we had been told Apple and OS X Forge stopped this effort and have heard nothing since; so the new installers mentioning the PKINIT implementation is a surprise to us.  We’d like to check out anything new in this area.
>  
> -Ridley
>  
> From: fed-talk-bounces+ridley.disiena=nasa.gov at lists.apple.com [mailto:fed-talk-bounces+ridley.disiena=nasa.gov at lists.apple.com] On Behalf Of Disiena, Ridley J. (GRC-VO00)[DB Consulting Group, Inc.]
> Sent: Friday, September 28, 2012 8:36 AM
> To: Fed-talk at lists.apple.com
> Subject: [Fed-Talk] Updated smartcard installer?
>  
> I didn’t see this announced yet on this list:
>  
> http://smartcardservices.macosforge.org/trac/wiki/installers
>  
> (1)  ​**NEW** Smart Card Services Update v2.0.b2-MtLion (Sep 18, 2012)
> OS Requirement: OS X Mountain Lion v10.8
> SHA-1 Hash: 4b012dd7a8f39f68311a6f48aa734c9231ac1e3f
> This installs the Tokend modules which no longer ship from Apple as part of Mac OS X beginning with OS X Lion (v10.7). Note that this installer will ONLY install onto OS X Mountain Lion v10.8. The Tokend modules installed are: BELPIC, CAC, CACNG, JPKI and PIV.
>  
> New to this release:
> • JPKI.Tokend - Build 38522 added to the update to support LASCOM in Japan.
> • cacloginconfig.plist - Default configuration file as optional install for those using Attribute Matching or PKINIT configurations.
> • SystemCACertificates.keychain - Automatically added to the Keychain Search List if not already present.
>  
>  
>  
> Interesting that they are still suggesting attribute matchine, is that not worse than using a password?
>  
> Ridley DiSiena - CISSP
> ETADS - ICAM Device Integration (IDI) / NASA ICAM Engineering
> ridley.disiena at nasa.gov






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20120928/91329333/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4418 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20120928/91329333/attachment-0001.p7s>

More information about the SmartcardServices-Users mailing list