[SmartcardServices-Users] [Fed-Talk] Help tracing access to keys/certificates?

[Uri Blumenthal]

On Oct 30, 2015, at 14:57 , Henry B (Hank) Hotz, CISSP <hbhotz at oxy.edu> wrote:
>> On Oct 30, 2015, at 9:05 AM, Disiena, Ridley (MSFC-IS60)[EAST] <ridley.disiena at nasa.gov> wrote:
>> 
>> Since the Yubikey PIV applet has not been validated by NIST and no testing
>> artifacts are available, I would not assume the applet is compliant.
> 
> Since restarting Mail (without restarting anything in the card/keychain system) is a workaround, I think it’s reasonable to think the problem is in Mail, or in Mail’s use of keychain.

Or in the Keychain API (whatever it is) itself - perhaps it enforces PIN-authentication for a “new” app, but “forgets” to do that for subsequent requests from the same app; so restarting Mail makes it a “new” app again, forces authentication again, etc.

> However if there is some suspicion Yubikey support is an issue, then we should be reporting the PIV applet number on the Yubikey. There are several “in the wild”. I feel sure Yubikey will be responsive to bug reports with sufficient detail.

I’m aware of two: PIV applet 0.1.2 and 0.1.3. I’m having these issues with 0.1.3 - have not tried Mail with 0.1.2.


> Also I think 10.10 was when Apple began “officially” supporting Yubikey/PIV.

???

But I use 10.10.5 anyway.
--
Uri Blumenthal
uri at mit.edu