[Tokend-Dev] PIV Auth with CRL Checks

Shawn A. Geddis geddis at mac.com
Wed Jul 21 12:09:47 PDT 2010

On Jul 21, 2010, at 2:54 PM, Bram Cymet wrote:
> Hi,
> I hope this is the right list to send this to and if it is not please let me know where the right place would be.
> I have successfully got PIV cards working for login and screensaver access under Snow Leopard. The problem I am having is that it seems to ignore the fact that Keychain Access sees the certs on the cards as being revoked.
> Is it possible with the current Tokend/Smartcardservices to make it so that if a cert has been revoked that a person using that card is no longer able to log into the system? Or will I have to make some modifications to get this functionality working?
> Thanks,
> -- 
> Bram Cymet
> Software Developer
> Canadian Bank Note Co. Ltd.
> Cell: 613-608-9752


This list is specifically for Tokend Development and your question is a User Question in the use of Smart Cards on a Mac OS X System.  I will cc the User's list in my response, but keep in mind that this particular list is for those "developing" a Tokend.

You will need to explain which method you are using for Client Authentication:
	• PubKeyHash		- Does not require that the Certificate itself has not been revoked
	• Attribute Matching	- Leveraging attribute(s) from the cert on the card to determine which DS Account to Authenticate against
	• PKINIT (SSO to DS)	- Validates the cert / cert chain locally as well as authenticates to Kerberos KDC with that Certificate.

Which method are you using ?

Shawn Geddis				  			   geddis at mac.com
Security Consulting Engineer				   geddis at apple.com

MacOSForge Project Lead:                           Smart Card Services                                                                 
	Web:	http://smartcardservices.macosforge.org/
	Lists:	http://lists.macosforge.org/mailman/listinfo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/tokend-dev/attachments/20100721/33920f20/attachment.bin>

More information about the Tokend-Dev mailing list