[Tokend-Dev] PIV Auth with CRL Checks
Shawn A. Geddis
geddis at mac.com
Wed Jul 21 12:09:47 PDT 2010
On Jul 21, 2010, at 2:54 PM, Bram Cymet wrote:
> I hope this is the right list to send this to and if it is not please let me know where the right place would be.
> I have successfully got PIV cards working for login and screensaver access under Snow Leopard. The problem I am having is that it seems to ignore the fact that Keychain Access sees the certs on the cards as being revoked.
> Is it possible with the current Tokend/Smartcardservices to make it so that if a cert has been revoked that a person using that card is no longer able to log into the system? Or will I have to make some modifications to get this functionality working?
> Bram Cymet
> Software Developer
> Canadian Bank Note Co. Ltd.
> Cell: 613-608-9752
This list is specifically for Tokend Development and your question is a User Question in the use of Smart Cards on a Mac OS X System. I will cc the User's list in my response, but keep in mind that this particular list is for those "developing" a Tokend.
You will need to explain which method you are using for Client Authentication:
• PubKeyHash - Does not require that the Certificate itself has not been revoked
• Attribute Matching - Leveraging attribute(s) from the cert on the card to determine which DS Account to Authenticate against
• PKINIT (SSO to DS) - Validates the cert / cert chain locally as well as authenticates to Kerberos KDC with that Certificate.
Which method are you using ?
Shawn Geddis geddis at mac.com
Security Consulting Engineer geddis at apple.com
MacOSForge Project Lead: Smart Card Services
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3859 bytes
Desc: not available
More information about the Tokend-Dev