<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style id="owaParaStyle">P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
</style>
</head>
<body style="WORD-WRAP: break-word" fPStyle="1" ocsi="0">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">
<p>Did you finally update CACNG to manage the full list of active CAC/PIV I and II cards? Last time I checked, I still couldn't get it to handle at least one cardstock in active issuance.</p>
<p> </p>
<p>Also, how does CACNG resolve the PIN-Always rule conflict on the Digital Signature key?
</p>
<p> </p>
<p>For those who care:</p>
<p> </p>
<p>The PIV data model applies a PIN-Always ACL on the (optional) digital signature key; PIN-Once is used for the PIV authentication key, and the PIV middleware specification requires collecting the PIN from the user for every action using a key with a PIN-Always
ACL. This means that when using the DoD-Signature certificate for, e.g., website authN, a PIV-compliant middleware (like PIV.tokend) will ask for the PIN for every private key operation--a real nuisance, I assure you. :)
</p>
<p> </p>
<p>The CAC data model and DoD Middleware Specification have no such rule, which meant it was effectively PIN-Once. Much more usable.</p>
<p> </p>
<p>This is a clear problem for middleware that claims compliance with PIV and CAC specifications. You can't do both at the same time. :)</p>
<p> </p>
<p>I believe NIST is considering more explicit guidance re: middleware and PIN-Always; e.g., allowing an acknowledgement vs. PIN collection, but AFAIK this hasn't made it into the SPs yet.</p>
<p> </p>
<p>-- T</p>
<p> </p>
<div style="FONT-FAMILY: Times New Roman; COLOR: #000000; FONT-SIZE: 16px">
<hr tabindex="-1">
<div style="DIRECTION: ltr" id="divRpF359084"><font color="#000000" size="2" face="Tahoma"><b>From:</b> Shawn Geddis [geddis@icloud.com]<br>
<b>Sent:</b> Thursday, January 16, 2014 17:22<br>
<b>To:</b> Miller, Timothy J.<br>
<b>Cc:</b> Mr. Ed Rogers; SmartCard Services-Users<br>
<b>Subject:</b> Re: [SmartcardServices-Users] use multiple tokend<br>
</font><br>
</div>
<div></div>
<div>On Nov 25, 2013, at 8:52 AM, Miller, Timothy J. <<a href="mailto:tmiller@mitre.org" target="_blank">tmiller@mitre.org</a>> wrote:<br>
<br>
<blockquote type="cite">CACs *are* PIVs (the have a PIV interface); PIV.tokend can drive both. The DoD Identity certificate is not available through the PIV interface, so if you need that certificate you'll have a problem with applications that need it (e.g.,
for MyPay/MyBenefits).<br>
<br>
There is thrid party software that will manage both on OS X, but it's not appropriate to stump for a vendor here, so I'll leave you to your Googling. :)<br>
<br>
-- T<br>
<br>
________________________________________<br>
From: <a href="mailto:smartcardservices-users-bounces@lists.macosforge.org" target="_blank">
smartcardservices-users-bounces@lists.macosforge.org</a> [smartcardservices-users-<a href="mailto:bounces@lists.macosforge.org" target="_blank">bounces@lists.macosforge.org</a>] on behalf of Rogers, Ed [<a href="mailto:ed.rogers@lmco.com" target="_blank">ed.rogers@lmco.com</a>]<br>
Sent: Wednesday, November 20, 2013 07:24<br>
To: <a href="mailto:smartcardservices-users@lists.macosforge.org" target="_blank">
smartcardservices-users@lists.macosforge.org</a><br>
Subject: [SmartcardServices-Users] use multiple tokend<br>
<br>
I need to use both a CAC and a company issued smart card (PIV). I’m using OS 10.9 and find that if I have both the CAC.tokend and the PIV.tokend installed, that only the first card used is supported and the next is not recognized. I end up having to remove
one of the tokend for the other to work. Is there a tokend that supports both CAC and PIV or some way to allow both to be used such that the correct tokend is selected based on the card inserted?<br>
<br>
R/ Ed Rogers<br>
SWFTS SE&I Technical Director<br>
LM Manassas<br>
(703) 367-1620</blockquote>
<div><br>
</div>
<div>Tim,</div>
<div><br>
</div>
<div>After sending a response to Ed just now on his message, I saw and realized that you had provided a response on Nov 25, unfortunately,
<b>with respect to Smart Card Services on OS X</b> your information is not correct.</div>
<div><br>
</div>
<div><b>With respect to the OS X Tokend modules</b> (originally included in OS X and now provided via the SmarCardServices Project):</div>
<div> </div>
<div><b>CAC</b> <span style="WHITE-SPACE: pre" class="Apple-tab-span"></span>- Original Common Access Cards with a single CAC Applet</div>
<div><b>CACNG</b> <span style="WHITE-SPACE: pre" class="Apple-tab-span"></span>- CACNG Cards with both CACv2 and PIV Applets (some refer to this as <b><span style="LINE-HEIGHT: 16px">Dual</span><span style="LINE-HEIGHT: 16px">-Persona</span></b><span style="LINE-HEIGHT: 16px; BACKGROUND-COLOR: rgb(255,255,255); FONT-FAMILY: arial,sans-serif; COLOR: rgb(68,68,68); FONT-SIZE: small">)</span></div>
<div><b>PIV</b> <span style="WHITE-SPACE: pre" class="Apple-tab-span"></span>- Cards with only the PIV Applet</div>
<div><br>
</div>
<div>Each one of these Card Profiles are supported by the corresponding Tokend modules provided:</div>
<div><span style="WHITE-SPACE: pre" class="Apple-tab-span"></span><b>CAC.tokend</b>,
<b>CACNG.tokend</b>, and <b>PIV.tokend</b></div>
<div><br>
</div>
<div>Cards recognized on OS X as having the CACNG profile will have objects from both Applets appear and be usable from one single Dynamic Keychain. Its default Keychain Name will begin with “CACNG-…..”</div>
<div><br>
</div>
<div>You can use and select ANY of the certificates from either the CACv2 or the PIV side of the CACNG Card at all times on OS X. If you or anyone who has an issued CACNG is having troubles with this, I would love to get more information on the actual/perceived
failures.</div>
<div><br>
</div>
<br>
<div>- Shawn<br>
_____________________________________________________________________<br>
Shawn Geddis<span style="WHITE-SPACE: pre" class="Apple-tab-span"> </span> <span style="WHITE-SPACE: pre" class="Apple-tab-span">
</span> <span style="WIDOWS: 2; ORPHANS: 2">geddis@{Mac | Me | iCloud}.com</span><br>
Enterprise Security Consulting Engineer, Apple <a href="mailto:geddis@apple.com" target="_blank">
geddis@apple.com</a><br>
<br>
Smart Card Services Project/Dev Lead: <br>
<span style="WHITE-SPACE: pre" class="Apple-tab-span"></span>Project Wiki:<span style="WHITE-SPACE: pre" class="Apple-tab-span">
</span> [<a href="http://SmartCardServices.MacOSFforge.Org" target="_blank">SmartCardServices.MacOSFforge.Org</a>]<br>
<span style="WHITE-SPACE: pre" class="Apple-tab-span"></span>Mailing Lists:<span style="WHITE-SPACE: pre" class="Apple-tab-span">
</span> [Lists.MacOSForge.Org/mailman/listinfo]<br>
<span style="WHITE-SPACE: pre" class="Apple-tab-span"></span>SCS Contact:<span style="WHITE-SPACE: pre" class="Apple-tab-span">
</span> [scs-cotact@macosforge.org]<br>
<span style="WHITE-SPACE: pre" class="Apple-tab-span"></span>SCS Admin:<span style="WHITE-SPACE: pre" class="Apple-tab-span">
</span> [scs-admin@macosforge.org]<br>
_____________________________________________________________________<br>
</div>
<br>
<br>
</div>
</div>
</div>
</body>
</html>