[...]

Sure.  But in this case, there seems to be a simple answer: they can  
configure FF for the behavior they desire, and they cannot configure  
Mac OS X so that Safari behaves that way.  Once Safari *can* be  
configured in a way that works with their sites, it'll be duplicated   [...]

Subject changed to properly reflect this ongoing discussion....     On Jul 3, 2008, at 10:49 AM, Boyd Fletcher wrote: > quoted text
    There is.  If the user selected the wrong certificate (probably trying each one until one works) when prompted by Safari and that certificate was not accepted either then the user is prompted again, until one selected is accepted by the server.  This is all based, of course, on the assumption the server is configured as *required* for Client-Authentication with certificates.     The challenge that most of you are having are with sites that are configured as _optional_ where, right now, a manual configuration of an Identity Preference is required - yes, using Keychain Access.     We are looking at being able to handle the _optional_ case in the future.  > quoted text
   There is a fundamental difference between FireFox's Security/PKI model and that which is leveraged by Safari.       /* Shawn's personal rant on this point follows */     FireFox is a complete stand-a-lone application which requires that all of its Certs / Trust / Settings be performed within the application - hence the _need_ to prompt _within_ the application for Passwords / Certs.  This means that even if you already have the Certs / Passwords managed by Mac OS X, you have to duplicate your effort to tell FireFox what to do with the exact same information.  Might be nice for Applications like FireFox to integrate with the OS they are running on and take better advantage of the OS Security / PKI services rather than needing to duplicate those same services.  I am a little surprised that so many IT folks who are "Central Management" focused prefer an application that makes no effort in OS integration and requires redundant effort to manage.  Maintaining good Security is hard enough without duplicating the required efforts.  In my opinion, It is very dangerous to be pushing all of the security decision into the application that runs in user space.  It is much safer and better practice to rely on the security enforcement of the OS.     Mac OS X provides a System-wide architecture for this which can be set _once_ and safely relied on by ever single application that leverages the corresponding Sec* APIs.  Not only that, Applications do not need to attempt to get into the security game and try to do security -- which frequently is one of their last concerns.  Safari is relying, as it should, on the Security / Certificate management of the OS.  That said, the OS is performing all of the Certificate parsing, chain-of-trust validation, confirming proper key usage, etc.        /* Thus ends Shawn's personal rant on this point  :-)  */        Now back to our previously scheduled programming...            - Shawn 

I recently had the pleasure :-( of re-installing Mac OS 10.4.6 from DVD on
two Macs, then wading through 20+ Apple software updates.  Literally kids,
don't try this at home (on 1.5 Mbps DSL) -- unless you want to spend all
day babysitting your computer. [...]

Fix permissions goes through a list of default permissions for everything in the standard disk and changes them back to what they are supposed to be. Adobe is good at making RW changes to system folders/files. I always run fix permissions after installing Adobe software. [...]

No, but I bet sticking in the DVD and running Disk check and permission
repair IS in the "magic" binder? Is it a leap to assume fix perms solves a
root perms problem?

[...]

mailto:email@hidden

 

chmod isn't in the little 3 ring binder they have.  
  On Jul 3, 2008, at 12:01 PM, Bell, Ian Frederick wrote:

[...]

  http://blog.joelesler.net
[m]  

 

Well, it seems that chmod  775 / to the root file system did the  
trick. I am now back in my system and have updated the box.  Would it  
have been so hard for support to have given me just this small bit of  
help? 

 Ian  
 

Title: Re: [Fed-Talk] [Discussion] (2) Card recognized, but I cannot access PKI protected Websites 



I guess what a meant was that there should be a way in Safari to force the ID pref to be set and allow it to be modified. Though the auto prompting is good, if it fails or the user selects the wrong value there needs to be a way to change it without using Key Chain  (which is a bit daunting for the average user).  

Actually it would be nice if Safari had a interface to access passwords like FireFox does and add the ability to set Certs as well. 

boyd 





On 7/2/08 7:30 PM, "Shawn Geddis" <email@hidden> wrote: 

 On Jul 2, 2008, at 5:52 PM, Boyd Fletcher wrote: 
 Any chance we can get Apple to allow the use of wildcards in the URL for a site when setting the ID Pref  Cert? 
  
 for example: https://*.us.army.mil 

That is the desire going forward.  Probably even going to https://*.army.mil/ 

Keep in mind this can be problematic as well if, within say the US Army, you authenticate with the ID Cert at one site and the Email Signing Cert at another one.  If you had a wildcard ID Pref, then it would either mean all sites would be fed the same cert (similar to the problem we are getting away from) or you would also end up with a wild card ID Pref and an ID Pref for each site *not* using the same cert as selected in the wild card definition.  It is an issue we are well aware of and are addressing moving forward. 


 Also, I think it would help a lot if Safari had a GUI hook that would like you set the ID Pref Cert for the current site. 
   

It does!  Also, keep in mind the recent changes we made to improve this even more with 10.5.3 & Safari.  The issues with this are currently impacted by the way the Server is configured for client-authentication.  We are going to try and improve on this even more going forward -- with our never ending desire to improve upon the currently shipping implementations. 

Mac OS X 10.5.2 (and earlier) / Safari: 
• Safari 3 automatically sends the first available client certificate in your keychain 
• If the first certificate sent to the site was *not* accepted *and* the server 
acknowledges the failure during the protocol handshake / Authentication  
(SSL/TLS) then Mac OS X's network services bubble up the failure to 
Safari which will then display a sheet indicating the failure with a list of 
other possible certs to select instead.  Once selected, the ID Pref is set. 

Safari, Mac OS X 10.5.3: Changes in client certificate authentication 
http://support.apple.com/kb/HT1679

[...]

Server Side Configuration Caveat: 
Safari may not prompt you to select a client certificate if the server you are attempting to authenticate to is configured to *optionally* accept (rather than require) client authentication.  Many of the US Federal Government web servers are configured for *optional* rather than *required*, since there is still a transition from User/Pass over to Smart Cards. 

System will auto create Identity Preference *IF* Server configured for *required* 
As noted in the KBase article referenced above, when accessing a website configured as *required*, Safari will prompt the user for the appropriate certificate to use for client authentication, but ONLY if it is configured as *required*. 

Manually Creating Identity Preferences -- Server configured for *optional* 
In this case you can force a particular client certificate to be sent by manually creating an identity preference item for the desired server authentication.  Note that it is important to know the correct URL for the actual authentication process which may significantly differ from the standard login URL.   


  
- Shawn 

Sorry, different issue. I was talking about the BootCamp update, not  
the general Apple software update. I found this on Apple's website,  
http://discussions.apple.com/thread.jspa?messageID=7310046&#7310046  
You aren't the only one having the problems. [...]

I watched the long iPhone 2.0 movie and noticed the new settings for airplane mode. You can leave WiFi on while still being in airplane mode (Bluetooth and cellular stay off). This got me to thinking about the camera. Since we can't have camera phones on site, and have to keep Bluetooth turned off, it makes it hard to find any cell phone that will work, much less smartphones. We are using Blackberrys but they have restrictions on where they can be used.     The iPhone should be able to be "adjusted" to include individual on/off settings for the camera, Bluetooth, cellular, and WiFi, all under password control. I know people have previously talked about smartcard access and while this would be a nice option (actually great option), having the ability to turn off certain features while on site is an absolute requirement (not having them in the phone is the actual requirement but soon there won't be any phones or computers without on-board Bluetooth and wireless so something has to change).      I would love to see an Enterprise iPhone developer come up with a solution, although this would probably have to be done by Apple. Having this option would make it a whole lot easier for iPhones to be accepted by Federal agencies.     Peter Link  Cyber Security Analyst  Cyber Security Program  Lawrence Livermore National Laboratory  PO Box 808, L-315  Livermore, CA 94550  email@hidden               

Classification:  UNCLASSIFIED 
Caveats: NONE

I am still at SP2. I guess I could be managed up to SP3, any day.
It sounds like you might have been updated to SP3 before running the
Apple BootCamp update 2.1. I did the same thing and am getting the same
results. [...]

It sounds like you might have been updated to SP3 before running the  
Apple BootCamp update 2.1. I did the same thing and am getting the  
same results. I've checked the web and there doesn't appear to be any  
way to apply this update after XP has been updated to SP3. [...]

Folks,  
I just had the need for the first time to use my AppleCare premium  
support to fix a server issue I was having, and it was a big waste of  
time. Why because they can only fix problems from the GUI, thats right  
if you go into single user mode they cannot help you. [...]

Classification:  UNCLASSIFIED 
Caveats: NONE

I am running Apple Software for Windows on a Dual Intel Mac Pro. Windows
XP SP2.
Apple Software Update tells me, when I try to install ASUW ver. 2.1:
"Apple Software Update for Windows" has an invalid signature. It will
not be installed. [...]

On Jul 2, 2008, at 5:52 PM, Boyd Fletcher wrote: > quoted text
    That is the desire going forward.  Probably even going to 		https://*.army.mil/     Keep in mind this can be problematic as well if, within say the US Army, you authenticate with the ID Cert at one site and the Email Signing Cert at another one.  If you had a wildcard ID Pref, then it would either mean all sites would be fed the same cert (similar to the problem we are getting away from) or you would also end up with a wild card ID Pref and an ID Pref for each site *not* using the same cert as selected in the wild card definition.  It is an issue we are well aware of and are addressing moving forward.       > quoted text
   It does!  Also, keep in mind the recent changes we made to improve this even more with 10.5.3 & Safari.  The issues with this are currently impacted by the way the Server is configured for client-authentication.  We are going to try and improve on this even more going forward -- with our never ending desire to improve upon the currently shipping implementations.     	Mac OS X 10.5.2 (and earlier) / Safari:  	• Safari 3 automatically sends the first available client certificate in your keychain  	• If the first certificate sent to the site was *not* accepted *and* the server  		acknowledges the failure during the protocol handshake / Authentication   		(SSL/TLS) then Mac OS X's network services bubble up the failure to  		Safari which will then display a sheet indicating the failure with a list of   		other possible certs to select instead.  Once selected, the ID Pref is set.            	Safari, Mac OS X 10.5.3: Changes in client certificate authentication    			http://support.apple.com/kb/HT1679     From my previous message on this....                        > quoted text
           - Shawn 

Title: Re: [Fed-Talk] [Discussion] (2) Card recognized, but I cannot access PKI protected Websites 



Thanks Shawn. 

Any chance we can get Apple to allow the use of wildcards in the URL for a site when setting the ID Pref  Cert? 

for example: 

https://*.us.army. [...]

(Stepping away from vacation long enough to send some critical email)  
 Nicholas et. al.  
 To add to Joel's comments...  
• Mac OS X 10.3.6 Was certified, but the process started when Apple  
was shipping 10.2.5 
• The biggest flaw in the CC process is that most vendors end up   [...]

(Stepping away from vacation long enough to send some critical email)         (2) Card recognized, but I cannot access PKI protected Websites        Many of you were already working with your Smart Cards on Mac OS X 10.5.0 - 10.5.2, but after you upgraded to 10.5. [...]

(Stepping away from vacation long enough to send some critical email)         (1) Reader and/or Card not recognized by Mac OS X 10.5      Many of you were already working with your Smart Card / Reader on 10.4.11 and then things stopped working after you upgraded to 10.5.x. [...]

(Stepping away from vacation long enough to send some critical email)     Fed-Talk Folks,     It is quite evident that there is far too much confusion amongst members of this list about what is fixed where and what fixes what with respect to Smart Cards on Mac OS X. [...]

As an aside, if Vista won't be CC certified until the end of 2010, and
the Air Force (at least AFMC) is pushing Vista out to all NIPR PCs
*this* summer, what is the point of CC certification?

Dan

On Wed, Jul 2, 2008 at 12:29 PM, Timothy J Miller <email@hidden> wrote:

[...] [...]

[...]

Except that the current implementation in eval is Leopard, IIRC.  Snow  
needs its own.  CC timelines are long.  E.g., Vista was kicked off  
nearly a year ago with an estimated completion date of Dec 20*10*. 

 However, nothing from Apple on the in-eval list:  
 http://www.niap-ccevs. [...]

And another:  
  http://systemsboy.blogspot.com/  
The Systems Boy has been a Macintosh Systems Administrator at a New  
York art school for five years now. He was recently promoted to Senior  
Systems Administrator, and now oversees a multitude of Macintosh,   [...]

Check it out.     http://managingosx.wordpress.com/ > quoted text
      

I am hoping someone might have an answer.  
I have the following error being generated on my 10.5.4 SWUD server it  
was 10.5.3 but I upgraded hoping to correct my issue: 

swupd_syncd failed with CantOpenWorkingSet: The working set file is  
inaccessible or corrupt 
 [...]

The iPhone PDFs are available online:     http://www.apple.com/iphone/enterprise/integration.html     iPhone in your enterprise.  Learn how iPhone integrates seamlessly into enterprise environments with these deployment scenarios and device configuration overview. [...]

[...]

Hmmm... That obviously makes sense, and given that Snow Leopard will have a much shorter turnaround time than Leopard, if I was a betting person I would put my money on Snow.

In the mean time, I hope Apple continues to work hard at making all the elements required to meet certification (read: "working audit system") available to the public on shipping versions of the OS. At a minimum, we could hopefully give Apple a heads up on problem areas ASAP.

Todd

 

[...]

Shawn is taking a well-deserved vacation this week, so you'll have to  
allow me, his manager, to field this one. 

We publicly started this latest round of Common Criteria certification  
when we were listed as "In Evaluation" on May 9th. However, there is   [...]

Shawn, Dave, 
Can you guys give your 2c?  There's a lot of speculation and  
assumption.  Those of us dealing with especially strict certification  
agents and approval authorities need a definite answer. 

 Thanks,
Nick  
 On Jul 1, 2008, at 10:44 AM, Dan O'Donnell wrote:   [...]

Card:  GEMAL TO ACCESS 64KV2 
Reader:  SCR 331
Driver:  Standard leopard driver

Not working:

https://www.hpcmo.hpc.mil/security/keerberos/auth/pki/
https://webmail.nmci.navy.mil
https://infosec.navy.mil



On Jul 1, 2008, at 10:21 AM, Kerry wrote:

[...] [...]

I'm still running 10.5.2, and I was able to access both of the  
websites Basil mentioned without a problem. 

 CAC: AXAL TO ACCESS 64K
Reader: OMNIKEY CARDMAN 3121
Driver: Leopard (10.5.2)  
 Richard  
 On Jul 1, 2008, at 5:12 PM, Basil Decina wrote:   [...]

All, 
I installed 10.5.4 and at first had no luck with the Navy Webmail (Https://webmail.nmci.navy.mi 
). 
I then did as Tim suggested and added an identity preference to my  
keychain list. I then went back to the site and it worked! So, part  
one done. 
I then tried the https://navyreserve.navy. [...]

Same experience with the same sites listed below using:  
	CAC:	AXALTO ACCESS 64K 
	Reader:	USB SCRRx31 (one with Firmware 4.13 and another with Firmware  
5.18) 
	Driver:	Standard one that comes with MacOS Leopard (10.5.1 upgraded  
through 10.5.4) 

 	Also, I can't get into:  
	https://dod411.gds. [...]

Title: Re: [Fed-Talk] CAC+Safari in 10.5.4 



Joel:

[...]

Reader: OMNIKEY CardMan 3121 & SCM SCR331 
CAC:    Oberthur ID One v5.2 Dual 
Driver: CCIDClassDriver.bundle (Thursby patch) 

Working (To Date): 
https://ryweb.ry.wpafb.af.mil/ 

Not Working: 
https://ebs.afrl.af.mil/ 
https://wwwmil. [...]

https://infosec.navy.mil/
https://powhatan.iiie.disa.mil/
https://iase.disa.mil/
don't work for me.  GemPlus GXP3 64v2N and SCR 331 reader.

M.[...]

CAC:  	Oberthur v5.2 
Reader:	SCR331 (USB) 
Driver:	(Thursby's replacement driver in - /usr/libexec/ 
SmartCardServices/drivers/) 

  Working:[...]

Did you try manually setting an ID preference?  
1) Quit Safari completely (command-Q or from the menu) 
2) Insert card and open Keychain Access. 
2a) Delete any old ID preference you may have for the site.  Sort by  
"kind" works best for finding them. 
3) Select the CAC keychain. [...]

[...]

The update should address some, but not all, of the problems  
encountered when using a smart card for client authentication. 

We're still working with a few sites to determine what else needs to  
be done. This has gotten complicated as it seems to have gotten back   [...]

I tried it last night on a Power Mac G5 and the Navy Infosec site and it
did not work for me.  I could see the card in Keychain Access and login
to the card there, but the site just told me I needed a card to connect.
It worked properly using Firefox 3 with Coolkey. [...]

I am still unable to access www.my.af.mil w/ my CAC.  
 -eric
On Jul 1, 2008, at 10:21 AM, Kerry wrote:  
 OS X 10.5.4 was released yesterday, and according to:  http://support.apple.com/kb/HT1994  
 One of the fixes for Safari is:  
"Resolves issues that may be encountered when accessing secure web  
pages with client certificates that reside on a smart card" I've installed the update but I'm still having issues with some CAC  
protected sites (like AKO), while at least one or two work. 

 Did this update work for anyone else?  
  Thanks,
 Kerry  
 -
Kerry A. Matthews | email@hidden
Major Shared Resource Center
U.S. Army Engineer Research and Development Center
Vicksburg, MS  
 

OS X 10.5.4 was released yesterday, and according to:  http://support.apple.com/kb/HT1994  
 One of the fixes for Safari is:  
"Resolves issues that may be encountered when accessing secure web  
pages with client certificates that reside on a smart card" I've installed the update but I'm still having issues with some CAC  
protected sites (like AKO), while at least one or two work. 

 Did this update work for anyone else?  
  Thanks,
  Kerry  
 -
Kerry A. Matthews | email@hidden
Major Shared Resource Center
U.S. Army Engineer Research and Development Center
Vicksburg, MS  
 

[...]

10.3.6 (only) was certified for Common Criteria, and that was the first
version of OSX that supported (BSM) auditing. No versions of OSX after that
were submitted for certification so nothing else is actually certified, but
the subsequent versions of the OS are compliant with the Common Criteria
certification guidelines and setup of 10.3.6.

However, the OS has diverged quite a bit since 10.3.6*, so to say that 10.5
is compliant may be stretching the assertion a bit.**  I assume that's why
Apple has submitted some version of 10.5.x for recertification. (Which
suggests that auditing will be working again at some point.)

I expect that most inspectors will accept versions other than 10.3.6 as long
as they are configured as close to the Common Criteria Guide specifications
as one can get. But as always, YMMV. And note that the auditing flags
specified by your facility or inspector are probably different than what is
configured by Apple in the original installer, so you probably need to reset
those.



* For example, removal of Classic changed in 10.4; and is now completely
gone in 10.5. (The removal of Classic is outlined in the Common Criteria
Admin Guide, Chapter 3.)

** Especially since auditing isn't working, and that's a critical part of
the process.