[SmartcardServices-Users] PIV.tokend question: on-card key escrowed support?

Shawn Geddis geddis at me.com
Tue Apr 30 12:01:07 PDT 2013 

On Apr 30, 2013, at 9:29 AM, "Disiena, Ridley (GRC-VG00)[DB Consulting Group, Inc.]" <ridley.disiena at nasa.gov> wrote:
> Does the OS X Forge provided PIV.tokend support the on-card key history specifications in NIST SP 800-73-3 Part 1?  And if so, can OS X Applications [via the PIV Keychain] make use of the Key History -> Retired X.509 Certificate for Key objects 
> 
> Link to info http://csrc.nist.gov/publications/nistpubs/800-73-3/sp800-73-3_PART1_piv-card-applic-namespace-date-model-rep.pdf

Ridley,

Short Answer:  No.  You may want to check with the commercial Tokend providers.

More detailed Answer: 
The current PIV.Tokend hosted by the  SmartCardServices  lacks the explicit support for the Key History component of SP 800-73-3.  In fact, the PIV.Tokend lacks significant compliance to SP 800-73-3 at this time.  That is on the Project's plate, but currently does not fully comply with the spec.

An interesting byproduct of The Keychain Architecture is that Certificates and their corresponding private keys DO NOT need to be in the same "Logical Keychain".  This means that a Cert stored in a file-based Keychain could be used with its corresponding Private Key in a Hardware-based Keychain (Smart Card) and even appear in the "My Certificates" list in Keychain Access.  That said, if the Private Keys are exposed as objects via the Tokend to Keychain Services, you would have support for Key History without the need to go and fetch the corresponding Certificate if they are not stored on the card.

Support for Key History would require work that is currently not available from the  SmartCardServices  Project.


- Shawn
______________________________________________________
Shawn Geddis				  			          geddis at me.com
Enterprise Security Consulting Engineer, Apple     geddis at apple.com

MacOSForge: Smart Card Services  Project Lead:                                                                                 
	Web:	http://smartcardservices.macosforge.org/
	Lists:	http://lists.macosforge.org/mailman/listinfo
______________________________________________________









-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20130430/aee2417e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4382 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20130430/aee2417e/attachment.p7s>

More information about the SmartcardServices-Users mailing list