Date: July 20, 2011 12:18:40 PM CDT

To: Fed Talk

Subject: [Fed-Talk] [Announcement] OS X Lion - Smart Card Services

The following was an announcement Shawn Geddes sent out on 20 July 2011 to customers using Smart Cards on Mac OS X.  I share it here for completeness and clarity to MacOSForge's continuing open source development and user community.

MacOSForge's SmartCardServices project is continuing, but Apple has had to make changes with respect to what is ships in OS X

 
Smart Card Services and the ability to develop support for a multitude of Smart Card devices and profiles based on CDSA/Tokend has been available in OS X since version 10.4.  Approximately two years ago, Apple officially moved the already open sourced components to an organized open source project at MacOSForge.org which has been lead by Shawn Geddes, Enterprise Security Consulting Engineer with involvement from key leads within the open source community.  This project has driven the ongoing development and support for additional readers and smart card profiles which were then incorporated into OS X 10.5 through 10.6.  *See "Previous Updates.." below.

As Apple continues to drive innovation in the mobility space, it is necessary to continually reevaluate how OS services can be enhanced to better serve Apple's customer base.  Apple has had to make some tough decisions relating to the current Smart Card Services architecture.  

 OS X Lion Support ?

With the release of OS X Lion, Smart Card Services are deprecated and will not ship as a customer functioning service.  That does not mean that customers will be unable to continue to use their Smart Cards with OS X Lion.  It does mean that all of the necessary components will not come pre-shipped in OS X Lion along with related support. Customers needing to continue to use their Smart Cards with OS X Lion will need to pursue one of the options mentioned here later according to their needs and requirements.

 Why the change ?

The foundational components for Smart Card Services in OS X have been based on an architecture (CDSA) that has been deprecated in the released version of OS X Lion.  This indicates CDSA's use and support has stopped and will be removed completely in a future release of OS X.  Any solution for OS X still leveraging the deprecated CDSA can continue to function for now, but the CDSA infrastructure would no longer receive enhancements or bug fixes.  CDSA will no longer ship in future releases of OS X. 

 Apple clarified the migration from CDSA for developers during the WWDC 2011 Conference in San Francisco (June 6-10) during the "Next Generation Cryptographic Services" Session 212.  [Those with developer access can view the Conference Videos via ADC on iTunes.]

 What was changed ?

The Smart Card Services deprecation was limited to the following components no longer shipping in OS X. 

• No Tokend modules ship with OS X Lion (10.7)
  • Directory:                  /System/Library/Security/tokend/
• Authorization Mechanism reference missing
  • /etc/authorization       is the authorization database 
  • Right:                         system.login.console
  • mechanism:                builtin:smartcard-sniffer,privileged

 Options Going Forward

Apple's need to deprecate what was there and focus on innovative approaches to solving the digital identity challenges on both OS X and iOS moving forward does not preclude customers from using Smart Cards on OS X 10.6 and even on 10.7.  Any developer / user is expected to be able to continue to use their Smart Cards on OS X 10.6 & 10.7 as long as they have a supported Tokend for the Smart Card profile installed.  This would require a non-Apple provided Installer.

 Commercial Options (PKard by Thursby Software), (Charismathics Smart Security Interface (CSSI-PIV)), and (Centrify Express for Smart Card 2012)

If the Tokend was independently developed, installation on 10.7 is expected to continue working given any additional configuration that may need to be done such as authorization database update, but again with no guarantee or support from Apple.  There have been a handful of commercially available products with more complete implementations and purchasable support contracts which many Federal/Commercial customers prefer.  Each of the commercial products available has a particular target market and list of supported Smart Cards and Tokens.

Open Source Options (SmartCard Services Update v2.0b1), (Copying 2 files), (OpenSC), or (CACkey)

The MacOSForge.Org - SmartCardServices Project has provided the actual supported versions for 10.5 & 10.6 and now provides that capability for Lion (10.7.x).  The Project participants plan to post additional installers for customers to have the continued capabilities as were there in OS X 10.6 for as long as is technically feasible - with no guarantee of compatibility with future releases of OS X.  If the Tokend was previously shipped as part of OS X, then updates would need to be obtained here from the SmartCardServices Project (BELPIC, CAC, CACNG, PIV).  OpenSC is an alternative Open Source Smart Card project for CDSA on OS X.

 What option is for me ?

Apple encourages all customers to pursue the option above that best suites their technical and support needs.  Both options have their own pros and cons, so you will need to weigh them against your organizational and personal needs.

ALL Smart Card related questions, comments, bug submissions should be targeted at one of the above options.  

Smart Card Services on OS X based on CDSA is no longer supported by Apple starting with OS X Lion 10.7.

 -Shawn
__________________________________________________
 MacOSForge Project Lead: Smart Card Services 

Previous Updates provided from the SmartCardServices Project on MacOSForge.Org:

http://smartcardservices.macosforge.org/

 OS X 10.5.4 - 10.5.5  

            Smart Card Services Update (SCSU) v1.2 (Installer)

                        1) CCID Cass Driver (v1.3.8)             /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle

                        2) CAC Tokend (Updates)                 /Sytem/Library/Security/tokend/CAC.tokend

                        3) PIV Tokend (Updates)                    /Sytem/Library/Security/tokend/PIV.tokend

                        3) PCSC Framework                          /usr/sbin/pcscd

OS X 10.5.6

                        SCSU integrated into OS X               SCSU v1.2 Fully integrated into OS X 10.5.6

OS X 10.6.0

                        SmartCardServices - 64-bit                 All components supporting 64-bit

                        TokendPKCS11                                    PKCS#11 Shim on CDSA - Support PKCS#11 access of   Tokend supported Card                             

OS X 10.6.0-10.6.7 / 10.5.6 - 10.5.8

                        1) CAC-NG Tokend                                       BETA builds have been available to access CAC-NG (CAC/PIV) - Gemalto TOPDLGX4 144

OS X 10.6.7 

                        1) CAC-NG Tokend    (NEW)                       /Sytem/Library/Security/tokend/CACNG.tokend  -- Apple shipped the beta Tokend

OS X 10.7.0

                        1) CCID Cass Driver (v1.3.11)                       /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle

Work continues under the MacOSForge Open Source Project

Any discussion, requests, bug reports, etc. should all be directed to the appropriate Mailing Lists on MacOSForge.Org if that is your chosen option mentioned earlier.  The disclaimer here is that, from this point forward, all work provided by the Project in whatever form will not ship in a future release of OS X, but will be provided as an available open source resource.

             Web:    http://smartcardservices.macosforge.org/
            Lists:   http://lists.macosforge.org/mailman/listinfo

Lion (10.7.x) users, please utilize the Lion support page