[Tokend-Dev] [Fed-Talk] EAP-TLS Authentication with CAC on iPad or iPhone

Shawn Geddis geddis at apple.com
Wed Jan 30 13:07:12 PST 2013


I do agree this belongs on a developer list and have included the SmartCardServices-Users and Tokend-Dev lists here.  I will quickly try to address your items and this can continue on the other lists (other than Fed-Talk).

On Jan 30, 2013, at 1:42 PM, "Henry B. Hotz" <hotz at jpl.nasa.gov> wrote:
> On Jan 24, 2013, at 8:51 AM, Shawn Geddis <geddis at apple.com> wrote:

>> OSX's Smart Card Services are backed by CDSA, which everyone should know was deprecated with the release of OS X Lion v10.7.  On OS X, all of the architectural components are still there except the Tokend modules installer needs to be downloaded from our SmartCardServices Project @ MacOSForge.org as well as the need to add the authentication mechanism line back into /etc/authorization.  Commercial products are also available to augment or replace what continues to be available from MacOSForge.org.


> Maybe this question belongs on a development list, but I'm not clear about what this means.  From an architectural/development point of view, how much of the infrastructure has gone away?

As of OS X 10.8.2, even though CDSA & Tokend were Deprecated, Nothing has "gone away".  After installing the Tokend modules from MacOSForge.org and modifying your /etc/authorization file accordingly, you have everything that was there before.  Architecturally, everything is there!  Developers providing Tokend support can still rely on the architecture as it still exits today.  Other commercial developers have chosen to augment their products with components that replace what is built-in to OS X (ie. Tokend modules).  

>  Without tokend's, are keychains still supported?

"Keychains" are an abstraction of a Key Store.  Smart Cards are still available as keychains because of the Tokend abstraction.  If you take the Tokend out of the equation or do not have a Tokend installed corresponding to your desired Smart Card then No, the smart card would not appear as a keychain -- that has been the case since day 1.

>  (Do smart cards still look like funny-named keychains?)  

Funny Named ?  The name depends on the Smart Card in use and what logic the Tokend developer chooses to use for Keychain naming.  From Apple, we provided a name that began with the card type (ie. "CAC-", "CACNG-", "PIV-", "BELPIC-") and then the unique card identification.

> Can you still daisy-chain keychain entries so one keychain entry can say to use another keychain for some specific thing?

You are referring to the use of the CLI command "systemkeychain"

Usage: systemkeychain -C [passphrase]  # (re)create system root keychain
	systemkeychain [-k destination-keychain] -s source-keychain ...
	systemkeychain -T token-protected-keychain-name

man page...

SYSTEMKEYCHAIN(8)         BSD System Manager's Manual        SYSTEMKEYCHAIN(8)

     systemkeychain -- creates system keychains and allows keychains to unlock

     systemkeychain [-fv] [-k filename] [-C] [password]
     systemkeychain [-fvc] [-k filename] [-s] [file ...]
     systemkeychain [-v] [-k filename] [-t]

     The systemkeychain can be used to create a system keychain, make it pos-
     sible for a keychain to unlock another keychain, or test unlocking a key-

> There were thousands of pages of documentation for CDSA.  While I was never up for reading them, it looked like it should be possible to associate Apple functionality with CDSA if you looked.  The Apple doc's always seemed disjoint, and sparse on details.  Without CDSA I'm left feeling like I can't find enough information to actually understand Apple's functionality.

If you are only know trying to understand Apple's implementation of CDSA (which by the way is a specification managed by the OpenGroup), I would say it is too late.  it was deprecated in OS X Lion and there is no guarantee it will exist in a future version of OS X.  

OS X has provided the "Keychain APIs" for the 99+% of developers that just need to deal with the objects on the cards.  Only middleware developers had to deal with CDSA directly.

> Of course, maybe the real answer will depend on what happens in the validation process.  *sigh*

Validation of what ?

>>> Given ubiquitous PKI support, the card should, IMO, be just an OS device driver issue, not an application issue.


>> I would agree that it would be very nice to rely on integrated services for use of various hardware tokens.  I will strongly disagree that it is simply a device driver issue -- tight integration like smart cards have on OS X does not come through the OS vendor simply dropping in a device driver - it is much more than that.


> Yeah, "device driver" is oversimplified.  I meant the whole PIV/CCID/USB/(pcscd/tokend?)/keychain(or pkcs11) support stack.  Given the OS has a ubiquitous API for interfacing with PKI credentials, the card should be supported by that API and not require every single application to write special card support code.

CCID, USB, PCSCD, Tokend... are all part of the "Smart Card Services"...
As noted above...OS X has provided the "Keychain APIs" for the 99+% of developers that just need to deal with the objects on the cards.  Only middleware developers had to deal with CDSA directly.

- Shawn
Shawn Geddis   
Security Consulting Engineer 
Apple Enterprise Division

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/tokend-dev/attachments/20130130/e7683906/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4418 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/tokend-dev/attachments/20130130/e7683906/attachment.p7s>

More information about the Tokend-Dev mailing list