There are a few inaccuracies in the thread.
(a) pcsc-lite's drivers may know about the activeCard reader used in the DoD procurement, but will not normally know about the musclecard/cac cardedge. PC/SC Clients of the pcsc-lite services may impose, and will normally impose, card-edges on the APDU flow between card-application and card channel.
(b) A PC/SC reader driver could easily authenticate the card, ensuring its from an CAC-proramme -authorized sourced. Or, the firmware in the special procurement of ActiveCard readers may do this, perhaps in response to a proprietary driver escape code produced either by the PC/SC driver, or the client library implementing the cardedge.
Its hard to know what happens in the DoD systems actually procured, in reality, as hardly any of the members of this list are technically allowed to see the materials/APIs/code being discussed!! CAC was intended to be handed over to open source, but got Rumsfeld'ed, after 911 (i.e. given an overly restrictive caveat, that interfered with the original mission of applying COTS doctrine to the programme. Dumb move, but there we are...).
(c) If I half-remember right, I believe the CAC interface has both internal and external auth, in any case. In the CAC cards Ive actually encountered in practice, one can auth to its (shock horror...) GP-enabled, javacard applet loader, in any case (but this is not CAC complying, technically)
We have an activeX control that can authenticate a GP-extended CAC over the wire, if anyone wants. Then one uses a security domain to wrap the end-end APDU flow. You cannot use the DoD APIs for accessing the card-edge, tho.
But, CAC is a GP 2.01 era technology, folks. Don't expect too much assurance, especially given not that much assurance is required in any case by the target security policy.
-------
Got another PIV card from a source, last week. Scott's usual stuff for PIV compliance, plus a 25mhA _rechargeable_ battery, PLUS 125kbps infrared serial leds, plus OTP display (using OATH), plus an applet that can read the OTP over 7816-3, plus the visa swipe emulator (with track data source to an ICC applet). Has a micro keypad too, with some status leds. When I took it apart, the chip on flex manufacturing was obviously production grade.
> Date: Mon, 24 Jul 2006 16:35:26 +0100
> From: [EMAIL PROTECTED]
> To: muscle@lists.musclecard.com
> Subject: Re: [Muscle] CKR_ATTRIBUTE_TYPE_INVALID
> CC: [EMAIL PROTECTED]
>
> Timothy J. Miller wrote:
>
> > Roy Keene (Contractor) wrote:
> >
> >> You might also want to look into CoolKey
> >> (http://directory.fedora.redhat.com/wiki/CoolKey) as it doesn't
> >> need commonAccessCard.bundle and seems to recognize a wide range of
> >> CAC cards without the need to update the ATR list or patch
> >> libmusclepkcs11.
> >
> >
> > I don't think this is accurate. CoolKey uses the pcsc-lite API (it
> > doesn't link against it, it dynloads it). pcsc-lite most certainly
> > needs the bundle since it doesn't implement card edge interfaces
> > generally, and certainly doesn't implement the CAC card edge
> > natively.
> >
> > That said, I've got a relatively complete CAC ATR list and I'll be
> > adding it into the bundle Info.plist. I've also got some Makefile
> > cleanup to do. I still haven't looked at redistribution
> > requirements, though.
> >
>
> This business of verifying a card's authenticity by means of the ATR is
> really the wrong way to do it. Access to the card after power up should
> simply be done by Select File using the AID of the relevant application,
> followed if necessary by retrieving a certificate for on-line
> verification. But I don't know the detail of the CAC cards that you all
> are using, although I would have thought that Jim Dray and other friends
> at NIST would have had a say in how this thing works.
>
> Peter
>
>
> _______________________________________________
> Muscle mailing list
> Muscle@lists.musclecard.com
> http://lists.drizzle.com/mailman/listinfo/muscle
Express yourself instantly with Windows Live Messenger
_______________________________________________ Muscle mailing list Muscle@lists.musclecard.com http://lists.drizzle.com/mailman/listinfo/muscle
