Update, Apple is trying built in Smart
Card Services again in Mac OS Sierra
July 20, 2011 12:18:40 PM CDT
[Fed-Talk] [Announcement] OS X Lion - Smart Card Services
The following was an announcement Shawn Geddes sent out on
20 July 2011 to customers using Smart Cards on Mac OS X. I
share it here for completeness and clarity to
MacOSForge's continuing open source development and user
MacOSForge's SmartCardServices project is continuing, but
had to make changes with respect to what is ships in OS X
Smart Card Services and the ability to
develop support for a multitude of Smart Card devices and
profiles based on CDSA/Tokend has been available in OS X since
version 10.4. Approximately two years ago, Apple officially
moved the already open sourced components to an organized open
source project at
MacOSForge.org which has been lead by Shawn Geddes,
Enterprise Security Consulting Engineer with involvement from
key leads within the open source community. This project
has driven the ongoing development and support for additional
readers and smart card profiles which were then incorporated
into OS X 10.5 through 10.6. *See "Previous Updates.."
As Apple continues to drive innovation in the mobility space, it
is necessary to continually reevaluate how OS services can be
enhanced to better serve Apple's customer base. Apple has had
to make some tough decisions relating to the current Smart Card
X Lion Support ?
With the release of OS X Lion, Smart Card Services are
deprecated and will not ship as a customer functioning service.
That does not mean that customers will be unable to continue to
use their Smart Cards with OS X Lion. It does mean that all of
the necessary components will not come pre-shipped in OS X Lion
along with related support. Customers needing to continue to
use their Smart Cards with OS X Lion will need to pursue one of
the options mentioned here later according to their needs and
the change ?
The foundational components for Smart Card Services in OS X have
been based on an architecture (CDSA) that has been deprecated in
the released version of OS X Lion. This indicates CDSA's use
and support has stopped and will be removed completely in a
future release of OS X. Any solution for OS X still leveraging
the deprecated CDSA can continue to function for now, but the
CDSA infrastructure would no longer receive enhancements or bug
fixes. CDSA will no longer ship in future releases of OS X.
Apple clarified the migration
from CDSA for developers during the WWDC 2011 Conference in San
Francisco (June 6-10) during the "Next Generation Cryptographic
Services" Session 212. [Those with developer access can view
the Conference Videos via ADC on iTunes.]
was changed ?
The Smart Card Services deprecation was
limited to the following components no longer shipping in OS X.
No Tokend modules ship with OS X Lion (10.7)
Authorization Mechanism reference missing
Apple's need to deprecate what was there and focus on innovative
approaches to solving the digital identity challenges on both OS
X and iOS moving forward does not preclude customers from using
Smart Cards on OS X 10.6 and even on 10.7. Any developer / user
is expected to be able to continue to use their Smart Cards on
OS X 10.6 & 10.7 as long as they have a supported Tokend for
the Smart Card profile installed. This would require a
non-Apple provided Installer.
by Thursby Software)
(Charismathics Smart Security Interface (CSSI-PIV)),
If the Tokend was independently developed, installation on 10.7
is expected to continue working given any additional
configuration that may need to be done such as authorization
database update, but again with no guarantee or support from
Apple. There have been a handful of commercially available
products with more complete implementations and purchasable
support contracts which many Federal/Commercial customers
prefer. Each of the commercial products available has a
particular target market and list of supported Smart Cards and
Services Update v2.0b1), (Copying
MacOSForge.Org - SmartCardServices
Project has provided the actual supported versions for 10.5 &
10.6 and now provides that capability for
Lion (10.7.x) and Mountain Lion (10.8.x).
The Project participants plan to post additional installers for
customers to have the continued capabilities as were there in OS
X 10.6.x for as long as is technically feasible - with no
guarantee of compatibility with future releases of OS X. If the
Tokend was previously shipped as part of OS X, then updates
would need to be obtained here from the SmartCardServices
Project (BELPIC, CAC, CACNG, PIV).
option is for me ?
Apple encourages all customers to pursue the option above that
best suites their technical and support needs. Both options
have their own pros and cons, so you will need to weigh them
against your organizational and personal needs.
ALL Smart Card related questions, comments, bug submissions
should be targeted at one of the above options.
Smart Card Services on OS X based on CDSA is no longer supported
by Apple starting with OS X Lion 10.7.
Smart Card Services
Previous Updates provided from the SmartCardServices Project on
Work continues under the MacOSForge Open Source Project
Any discussion, requests, bug reports, etc.
should all be directed to the appropriate Mailing Lists on
MacOSForge.Org if that is
your chosen option mentioned earlier. The disclaimer here is
that, from this point forward, all work provided by the Project
in whatever form will not ship in a future release of OS X, but
will be provided as an available open source resource.