--- title: WWDC2004 Session 101 framework: wwdc role: article path: wwdc/wwdc2004-101 --- # WWDC2004 Session 101 ## Transcript Kind: captions Language: en I guess I go over here there we go all right I came here to talk about certificates in Mac OS 10 and certificate management and so this session covers the usage of certificates and the way certificates are used and as well as keys and a lot of times people are talking about certificates they actually mean certificates and keys that the whole sum of things certificates keys and trust management etc is often referred to as a public key infrastructure or pki so I'll be referring to it by that acronym if you may so different kinds of applications use pki for different things the most common use is to identify a person or party on the other end of a connection and determine determine who they are and set up a secured or authenticated or encrypted transaction with that other party some examples of applications that use pki would be on Mac OS 10 today our mail mail uses since Panther mail support for s/mime which lets you send encrypted and sign email to people on both Macs and windows and what every other operating system out there that has s/mime support mail also uses pki for its SSL support which you would use if you were you if you were connecting to a secured imap server or a secure smtp server Safari uses a pki for SSL both for determining the identity of the remote server you're connecting to so if you're connecting to you know your online banking website it uses this the pki infrastructure on the system to determine that that site you're connecting to really is your bank and in tamper we also support clients I defend occasion which Safari also uses to authentic can use to authenticate the user to the bank or to the other sites you're connecting to what that might be using public private keys and certificates another example is VPN which is on top of IPSec and I'd be stuck uses for its security associations can use certificates and PGI infrastructure and another one that some of you may or may not know is that actually File Vault although it uses passwords for the normal operation the the way the master password for filevault is implemented which means if you create a file vault image on the system what actually happens is the first time you do that it sets with the master password which contains which is a key chain that contains a certificate and a private key and from then on you don't actually need that master password to create new images because the public key is readily available so anyone who creates a new file vault image after that can allow that solve old image to be unlocked with the private key without actually having access to the private key so some of the things you'll learn we'll start with the pki review and I'll try and explain a little bit just a Dewey high level view of what public key cryptography is and what certificates are then I'll go over our new PGI related api's and we have a few I mean we had a lot of API is already in Panther so we haven't added a whole lot but we've had some requests for some new things and we've we've listened to you guys when we've added that then there's some improved and some new PTI's views that we'll we'll show you we'll talk a little bit about keychain access and use urban security and what some of the new things have been going on with those are and we'll talk about root certificates and how mac OS 10 determines whether or not a root certificate is trusted and I'll explain why that's important later on and something else will be talking about which unfortunately this didn't make it to your CDs but we're working very very hard to get smart card support into tiger and there will be fully integrated smart card stored in tiger so and smart cards will be just like keychains so as you when we get to that portion now doing a little more detail about that and I'll also talk shortly about what it would take for if any of you are cas or representatives of CAS to get your root certificates included into either new version of Mac OS 10 or software updates I have to get closer I guess there we go so here's the pki review so what is public key cryptography I don't know raise your hands how many of you need this explanation or is everyone here security experts so I'll do this kind of quick since there's only a few people that don't really know so public key cryptography works by you generate a pair of keys a public key and a private key now the public key can be shared with anyone out there and doesn't contain any secret information the private key is is the corresponds to a particular public key and you need to keep that private key secret the private key is kept secret by the owner of that key on his machine or on a smart card or some other token public keys can be used to verify signatures so if someone finds something with a private key you can verify what was signed with the public key and private keys can be used to decrypt data that was encoded with the public key so if someone else has your public key they can sign send you an encrypted message that you and only you can decrypt but by itself public private keys are it's a really cool technology but the problem is how do you know who particular public Keeble arms to and I have to go back right well the way we do that on Mac OS 10 and there are other solutions out there but the way the most of the industry is adopted is excellent 509 certificates and when an x.509 certificate does is it binds a public key to other forms of identification and in addition it's certified by a third party so it produces a binding of your public key to some attributes about the owner of that public / private key pair and there's some other third-party that actually asserts that that binding is correct or valid well what's in a certificate well obviously the public key because that's what we're trying to bind to this other information then there's a number of attributes those attributes when athletes are there's the issuer the issuer actually refers to the certificate that certifies this particular certificate or the authority that has issued this certificate then there's a subject which is a description of the owner of that certificate or the key in that certificate both the issuer and subject are X dot 500 names which if you don't know what that means it's basically like an LDAP distinguished name type of record I mean it's actually a superset of an LDAP name but it's it's similar to that so it'll have things like this common name and an organization and you can add all kinds of different fields to it and it's really up to the issuer of the certificate to decide which fields they want to certify in a certificate and then there's a validity period in a certificate which tells you from when to when that certificate is valid in addition x.509 certificates as a version two or three or two and three can contain one or more extensions extensions are arbitrary things that can be added to certificates now there's a number of the extensions defined out there and the number of that are commonly in use some of them would be a key usage policy engine or there's an extended key usage policy extension as well which tells you well this this certificate only be used to sign things rather than to encrypt things or this can only be used for email or this can only be used for a website etc and there can be policy statements included in certificates which might contain a URL referring to a website telling you you know what it means what the fact that this authority has issued the certificate really means or what the guarantees are that they give you etc extensions fall into two categories there's a flag on an extension they're critical and non-critical extensions non-critical extensions you're allowed to ignore it's an application is processing a certificate and it doesn't understand that extension it's okay to ignore it if an extension is marked critical then you must understand what that extension means or else you should just not treat not use that certificate in your application they're very few extensions that are actually marked critical in certificates usually the ones that are are crucial to the usage of that cert and then finally there's a signature of all of the above information included in the search and the signature is using the private key of the issuer now since the certificate has an issuer there's essentially a hierarchy you can have a hierarchy from you know certificate issued by some other certificate and that certificate in turn is issued by another certificate the nice thing about certificates being signed is that they can't be tampered with if you have a certificate you can verify its validity and you can verify the issuer certificates validity and you can keep going up this chain so we call the certificates at the bottom leaf certificates and the certificates that finally certificates intermediate certificates now eventually that chain has to end and that happens when you get a certificate for which the issuer is the certificate itself and we call that a ridge certificate or a self-signed certificate and the only way you can determine whether or not a root certificate is trusted is by prior arrangement so in summary here's an example of a cert issued to Ken issued by some other Authority there's there's no real limit on how long a chain can be although there are extensions in certificates which can limit the length of the chain so as a root certificate could limit the length of a chain to two or three certificates or depending on what that's just get Authority wants to allow but so typically in applications validating a certificate will follow the chain from the leaf certificate back to a root certificate so root certificates are also known as certificate authorities and some there's there's a number of different certificate authorities that we ship I think as of 10 3 4 they're about 84 certificate authorities in the file mentioned below system library keychains x509 anchors you can actually manually add certificates to that file by if you have a root certificate on your desktop or somewhere in the finder and you double click it it'll launch keychain access and keychain access will allow you to add it to the x.509 anchors database so if for example you work at a university or some institution that has their own certificate authority it doesn't use one of the 84 that we already include you could download that certificate authority certificate to your machine and after verifying that it is the correct certificate you could add it to your keychain on your system and from then on any app on Mac OS 10 will trust certificates signed by that authority so certificates are only half the story of course and I sort of alluded to the shoot earlier certificates contain the public key but for you to be able to do something with the certificate you also need a place to store the private key and certificates because of because the fact that they're signed and they don't contain any secret information there's no real problem storing them you could store them anywhere you can store them on an ldap server you could store them you know as file on your desktop you could download them from a website etc because you can always verify their their correctness and there's nothing in there that you need to keep secret from anyone else now if you take the certificate and its corresponding private key where corresponding is the basically the private key that belongs to the public key and the certificate we refer to the combination of those two as an identity and in our API there's actually a sec identity ref object which represents the combination of a certificate and the private key now typically in key can access an identity looks like something like this you'd have a public a private key and a certificate that are paired together some examples of some applications and what they do so mail like I said uses the s/mime api's for encrypted and signed mail uses ssl to receive mail from a secured imap server or from a secure smtp server and again in mail you can actually view the certificates if there's something wrong with the connection etc some of the it's delivered in Panther I think the mail team is actually working on some improvements and with some of the stuff ken is going to demo to you later you'll actually see some of the new UI we have that will be integrated into mail as well secure transport something's been around for since OS 9 I think or in some form since I was 9 he is used both by a safari and mail for SSL and TLS it supports you know every variant of SSL v1 v2 v3 TLS and auto negotiates between all of them since the 10 dot 323 update we also support clients itís indication and because secure transport supports it then every app that uses secure transport actually gets us for free now see if Network uses to gear transport under the hood so guess what every app that uses see if network also gets these features for free and like when we add smart card support every app using CF network or web kit which uses CF network will also get smart card support for free so now to talk a little bit about the new AP is there really only are two completely new AP is and they are sexy keychain item import and SEC teaching item export what they allow you to do is to import and export certificates and keys to and from keychains and we support variety of formats pretty much everything out there we could find that we thought would be needed by anyone is in there so we can export to raw openssl with with PEM ascii armor or without support picus of 7 pkcs12 you can even import and export ssh keys so if you had an ssh key you could import that to your keychain or store it on a smart card take it to another machine and use that ssh key there and there's a some additional formats that you can you can store either individual items and some of the formats allow you to store multiple items the import function actually can auto detect the type of content that you're importing from so if you're writing an application and you're trying to allow you know importing of arbitrary things you could just call import with pretty much all wildcard parameters and it'll figure out what the format of the input data is or if you want to specifically limit it to pkcs12 you can you can do that so here's a little synopsis of what the calls look like the pretty basic set kitchen item export you pass it an array of items which are all kitchen items which could be either certificates or keys or some combination thereof then the format in which you want the items exported which would be SSL or Pikachu 12 or whatnot then there's some flags which example of flag would be whether or not you want it base64 encoded or PEM armor encoded if you're exporting keys you have you passed a pointer to instruct with key params which contains some additional details about what things you want to do with the keys and then the last parameter is the you get of the result which contains basically a CF data containing the exported items now this may or may not work if you're exporting say keys from a smart card if the smart card doesn't allow you to export the key it won't work obviously but given that the permissions are correct the export will work now if you're exporting a key from a keychain typically because keychains have access control lists the user will be prompted with some kind of dialogue asking him for permission to export that key import looks pretty similar it has a couple more parameters because it has it's a little bit more complicated the first rounder is the data which is going to see if data containing the big blob of information you want to import then there's a filename parameter which is optional but that can be a hint if you don't know what the format is that you specify the filename the import function will use the extension of the file name to guess what the format might be then there's a format parameter which is both input and output which could be because of 12 or SSL or whatever the format is that you that you think the data is in and on successful completion that'll actually contain the format that the data really was then there's an item type which is both input and outputs that can be hint you could say oh this is a certificate or this is a key or I don't know and on completion the item type will say well this was a certificate or this was actually a combination of multiple items or this was a single key and then some flags and flags can again be things like whether or not it's a ski armored [Music] on import you have this pointer to keep around again if you're expecting to import Keys things in there for input would be like what the permissions you'd want on those keys to be after they've been imported etc then you can obviously specify keychain which to import the items to and you can also optionally specify a output array in which it'll return the items that were imported so how do you import export items well on the developer CD you have today keychain access lets you do it there's an import menu and there's an export menu in file so you can just go to teach and access and do it right there there's also a command-line tool user bin security which has an import and an export command and there's actually help built in to use your food security is also a man page so user been security will let you do it and then in addition to that you could use the api's that i just explained if these these two options aren't good enough there's a documentation I don't think there's documentation on the WWE our site yet but there is explicit comments in the SEC import expert H header in the security framework so if you want to take a look that's on your CDs that you received yesterday or monday so here's an example of how you use the command line tool so in terminal if you wanted to export all the certificates from your login keychain in pem format for example as a p case of seven law you'd say security export well what it says there so with that I'd like Kim to come up and show you how to do the same thing in keychain access and he'll show you some other things as well can I have let the handoff thanks Michael can we have the demo on screen Thank I'd like to start by showing you some of the new additions that are in progress to the keychain access utility you've had a chance to fire this up off of your tiger preview you notice it looks a little bit different than the one that's in 10 dot 3 one of the first things you might notice is there are now categories over here on the left-hand side so instead of looking at all the items in my keychain i can just look at my passwords or just my certificates or keys but when you've been using the keychain for a while and i've been using mail and I've built up an awful lot of certificates here and it's kind of hard to find them so we've also added a search feature so I can look for if i'm going to send mail to murph i can just type in verse name here and there's no sir i can look at it sir maybe I want to see like where all the fought certs are so i'll type in the thought and you know that it's returning the certificates that it finds across all the key chains so i have a copy here and one of my key chains and i have the other ones that are in the the anchors database so let me look for stuff that contains my name here and i got some of my stuff i have the certificate here and i have my private key and as Michael pointed out those combination of things make up my pki identity so I can take advantage of that new API that he talked about set keychain item export just by going to the export menu here and keychain access so I'll select that and let's make a file called chem pki and I have some options here I can export things as a cert as Pam armor what I want when i'm exporting my private key is to put it in a p12 file or personal information exchange which is actually encrypted so I'll go ahead and save that it asked me for a password you actually encrypt that file so I'll give it a few / secure password here go ahead and say okay so we look out here and it's created a p12 file and that's a standard format for information exchange that could be read by something like Mozilla can be read on other platforms I can copy this over to my windows box and import it there let's double click it and import it into a different key chain here so I double click it it brings up keychain access and ask me where I want to add it let me add it to my login keychain and of course I have to enter that password again which decrypts the file I'll go back over here is the login keychain and I see that it's added those things from the p12 file and I can look at it and sure enough it's my certificate and my key so let me tell you a little bit about this certificate view the keychain access is showing you it's a Coco view and it's reusable it's called SF certificate view now you have some flexibility with this view keychain access here is just showing a kind of a summary view with the essential information about the certificate the name and who issued it but I can also open it up and get a different instance of that SF certificate view that shows me a lot more information shows me all the things that are inside the cert and I can choose to disclose or hide the details and some of the trust settings all these things are controlled program programmatically so your application can use this view and decide to show just a brief summary view or the entire contents of a certificate so let me show you another example of how you might use that view in an application this is the mini browser which is a little sample application that comes with WebKit to show you and demonstrate WebKit I because it's WebKit it is built on top as Michael said built on top of CF network and and secure transport so you get all these things for free like HTTPS I can go to a site that uses ssl and this all just works with WebKit so let me go to the store here let's see if that will work unfortunately the little button i added is not showing up so i think that the demo gods are not smiling at me today let me try going to a different site here which is the University of Washington has a web page and not to sing 11 out in particular but they're an example of a site whose root certificate is not part of the default set that is in the x.509 anchors file and is trusted by default with mac OS 10 so normally you would have to go and add that certificate out-of-band so we have a new view a pki view called SF certificate trust panel and what i've done is i've gotten a certificate and i've put up this panel with some text as I supplied and it's basically asking me for permission because it could not verify the certificate chain and this panel has some features I can go ahead and disclose the certificates that are involved and I look at it and I see yes this is the site at wha to the University of Washington and it's signed by their root certificate we've got an option here as I said normally the way that you would go and trust this certificate is out of bounds by having to add the certificate in 2x11 I anchors this isn't quite working yet but we're working on a way to actually bring that process in band a little bit for the user so they can just say go ahead and remember that I said to trust this so I can click continue and it goes ahead and loads that page so let me show you just real quickly what it took to implement that in this mini browser I just went and added a function or a method here to the sample document called evaluate trust and the first thing evaluate trust does is it makes a sex trust object by calling sec trust create with certificates so i take those server certs that I got back from the making the connection and I make a sec trust object which kind of encapsulate all of that information the policy that I'm interested in which is FSL and then the next thing I do is evaluate it by calling sect trust evaluate and that will go off do all of the searching for the root cert of any other certs in the chain that it can find does the cryptographic evaluation and returns a result and that results the interesting thing there are a number of them I can have explicitly denied or explicitly allowed the certificate in advance but the interesting error that returns is a recoverable trust failure and those are cases where for example the root certificate is expired or it's not present in the x.509 anchorage database but this is something that you can go ahead and override you can ask the user what to do so my method here asks the user what to do it puts up a message about many browser being unable to verify and then it creates an instance of this view SF certificate trust panel I set up the title of a button you have complete control over the message and the titles of the buttons that appear and then I just put up a sheet on the window asking the user what to do with a selector that will get called when they dismiss it that will go ahead and either load the page or not load the page and that's it that's all the code I had to add to get that working so if I could have the the other slides back for a moment could we switch to think I probably have to move over here and make it work yep so there are three views that i showed you that's a certificate view being the base one the kind of building block one and then certificate panel that's built on top of that the thing we just looked at was the SF certificate trust panel which lets the user make a decision about trust one that they did not show you was the choose identity panel which lets you pick from multiple pki identities and I'll get into that in a minute all of these are cocoa classes that have been available since 10.3 but we're adding new functions adding methods and improving the functionality and also improving the look of them so that they have features like progressive disclosure where you're not pummeling the user with all the information and a certificate right away but it's there if they need to look at it here's an example of the one in the front there is the SF certificate trust panel and this is just a sample use in Safari where it would put up a message you'd have the option to show the certificates involved and then to continue with the operation or two to cancel so if the certificate view is pretty flexible you can just show a summary view with the basic information the name of the cert you can add programmatically little turn down triangles that progressively show you more and more detail and another thing that I missed but you can actually grab hold of that serve in the view and directly export it where you can drag it to the finder to directly export a certificate file you can drag it to a mail message to export either in pem armor or not the certificate and it gives you a lot of flexibility that's all built into the view you get that for free the SF certificate panel is used in cases where you just want to show certificates without necessarily needing the user to make a decision so it's for informational purposes once the operations taken place for example maybe you've got a website like we saw there where the operation was successful the certificate chain verified but you actually want to be able to see that and know what certificates were involved you can choose to display just one certificate or the entire chain and you can also add certificates that aren't part of the chain when you're showing that view there is a standalone interface to that panel or you can have a sheet interface as we saw in the demo now the SF certificate trust panel is the one that you'll want to use when you need to make a trust decision you don't have enough information the certificate chain was not necessarily valid or maybe one of the certificates expired there was some problem with it and you want to ask the user what to do so this panel does all of the hard work and the heavy lifting for you as far as showing you the certificates and giving you the tools to be able to ask the user what to do again like the previous panel it comes in a standalone panel or in a sheet interface version and you have complete control over what text shows up and what the buttons look like the SS choose identity panel is one that they didn't show but very similar to those in that if you need to select from multiple identities and this is happening more and more for example users have maybe a free email certificate and then the university or the company or some institution will also issue them a certificate and so they could be signing or encrypting things with they have a choice of keys and certificates to do that with so we provide you a panel that you can bring up and to display the available identities and to ask the user to pick one and then it returns the identity that they chose again with progressive disclosure so you see the names of the identities and then the user can choose to show all the details or some of them again it's a standalone version or sheet and you have control over what buttons look like so with that I'd like to ask my it will come back up and he will tell you a little bit more about the x.509 anchors and how their trusted thank you Ken okay so I talked a little earlier about there's the x.509 anchors file on Mac os10 which determines which contains all the root certificates that are trusted by the system we've actually started doing some software updates to that file and we've been very careful when we did the software update to make sure we didn't just overwrite the anchors database but we add the new anchors that we've gotten approval for to that file without blowing away any anchors that you might have added yourself and that's also true when you upgrade from pan through the tiger it'll it'll preserve the anchors database on your system now which wasn't true going from Jaguar to Panther so we'd really like you to talk to us if your a/ca or if you somehow want to get your research into the system about getting them added to mac OS 10 and the person to talk to would be Craig Keithley and I'll put his contact information up at the end of the session one thing I forgot to mention earlier on in the session was that mail uses the SM I'm api's sorry the SF I'm SP is and the reason of the s- left still SBI is because we really haven't haven't gotten a lot of feedback from developers asking us to make apps my man API if you're a developer of a mail client and you want to see us might become an API i encourage you to bring that information to the feedback forum so next up smart cards but i promised in the beginning smart card support in OS 10 there's some good news and there's some bad news the good news is we're actually going to be doing something revolutionary here compared to any other platform the smart card support that will be no s10 will it'll be horizontal smart card sport it will be across the entire RLS supported for you can use the same smart card to login to authorize access to you know certain settings in system preferences use it in mail use it in Safari you can use it to for your screensaver it could be used in a server to to store server server keys or certificates on any apps using CSA or CD essay based api's meaning the keychain api's the secure transport api's or any higher level api's will will benefit from this and will have single sign-on with a smart card so you can you've entered the smart card enter your PIN ones to login and you won't have to re enter your PIN every time you do something with the card unless you choose to because you'll actually be able to set access control list entries on that card which the security architecture will actually fan out access to that card to multiple applications and gate access to it using access control lists previously on Mac OS 10 we've only really had a few select vertical smart card solutions that were based on PCs see our new architectures still based on PCs see that the differences we're actually sharing access to the card pcsc didn't give you any abstraction that let you support multiple cards it just abstracted basically the reader so you plug in a USB reader and PCs you would deal with loading a driver for that but if you had three different cards you'd have to have three different libraries in your application to talk to those three different cards that's all over that will all be over when Tiger ships so here's an overview of what the architecture looks like and on the top the green box there is the applications I guess we don't get a cursor here so well the green box on the top are your applications which are either sitting on top of the sect api's or secure transport or CF network or WebKit or whatnot which in turn is layered on top of cdsa which is cssm is the API part of cdsa that sits on top of a new plug-in module that that's going to be in Tiger which is the cs the SD cSPD l-sb stands for security d security d is what used to be called security server in panther we've renamed it to security d in tiger so the SDC s PDL actually represents a CSP which stands for cryptographic service provider and dl which is a data store library module you can think of the CSP part as anything to do with cryptography encryption decryption signing verify all that goes through the CSP part the DL part is anything to do with finding items or records or modifying items or records so searching for certificate or a key happens through the DL interface using that key to actually do something goes through the CSP interface so if your app was actually written directly to cssm which I doubt very few of your applications will be I think you'll have to blow you'll have to actually modify our app to be aware of the new smart card CSP dl if your app is using any of the higher level API is it won't require any changes then security be actually talks to pcs CD now the only communication really between security DM pcs CD is that security watches for token insertion events PCF CD tracks the readers on your system so if you plug in a USB reader it'll notify security of that and security will say ok fine whatever when you actually insert a smart card into one of those readers pc CD will notify security when that happens security will try and get a code off the smart card to try and identify that card based on that it'll narrow down to a selection of one or more different token d instances that are on the system so each token d that that is on the system can be seen as a driver for a particular token and token being a smart heart so each token d supports a particular class of tokens so you can have 14 cards of manufacture a another 14 cards for manufacturer be etc so security woman launched the ones that are candidates for that card and asked them to to tell security whether or not they support that particular card that these are just inserted and when it finds the one that actually supports the card it'll keep that loaded and token de will establish a session to the card so inside token d it looks kind of like this token d itself uses pcsc to talk to the card so the pcc framework which is unchanged from panther pretty much the framework at the top security token d framework for tiger is still going to be an spi but we encourage any anyone who wants to develop their own smart card solutions to come and talk to us either after this session or during the feedback forum or contact craig because we can probably see you with something to get you started on developing your own token d and we might even be able to do something where we can ship support for additional cards and tiger initially we want to support three or four different cards but the idea is that all you have to do is drop a new token d on the system for a new card type and the card will be supported by any app that uses these api s so the piece in the middle is the actual guts of token d and really the one we're shipping is called token d muscle which if any of you are familiar with the muscle card api which is something we ship they'll support three or four different types of cards that have been formatted in a certain way one card in particular that will be supported is the CAC card that the u.s. government uses and there's a couple other cards that will be supported as well so here would be an example of a third-party token d so you haven't you know that you might have noticed you haven't seen pika social Evan anywhere in this architecture well that's cuz it's really piqued assess 11 is really not an abstract layer it's more in a library layer to talk to one particular card so if you had a peek assist 11 library to talk to your brand of card already it would take very little work basically the part in your token d would be the only code you have to write because you already have the peak assist 11 driver that uses the PCF see framework on Mac OS 10 and you just have to write a little bit of glue code to transition from the token d interface to security d down to pekin / 11 those two interfaces are actually fairly similar the security token the interface is somewhat closer to cdsa than PICUs 11 but they have very similar sets of calls and one of the things we're looking at doing in the future is actually making the your token d-box be part of security token d meaning that if you already had a peek yourself 11 driver you might not have to write any code to provide a token d although they'll probably be a little bit still because the auto-discovery that we're doing is not something picus 11 supports so here's the bath units or at least potential bad news there are a couple of existing smart card solutions out there now all those existing smart card solutions were vertical solutions in that you had you know one or two applications that knew how to load the driver for a particular card and talk to that particular card or cards the problem is with the new architecture because we're doing single sign on as soon as we ship a token d that supports that card it'll automatically get loaded when the cards inserted and it will open a session to the card now if the card is single session that means that your vertical app will not be able to coexist with the token D on the system because the card doesn't support to even though pcsc will let you do it the card won't support two apps directly accessing it apps written to the higher-level api's will because the whole reason we're doing this architecture is to have cards that that can only do one session still be capable of being shared between multiple applications at the same time if this is really really a big problem for you we'd really like to hear this at the feedback form because we have some ideas of things we can do to potentially get around this but you would lose a single sign-on when you insert your card when you launch your vertical app basically so but obviously the best thing to do is to transition these apps to the new architecture and tiger because then you get support in mail and Safari and everything and not just in that one app so in particular the cat cards and other cards supported by muscle will be supported natively in tiger so we'll have this problem because I don't think any of those cards are multi-session so and again talk to us about adding support for other types of cards into OS 10 because I mean wouldn't it be cool if you could use safari to do your client side off with you know your custom card that you're using and mail to send secure mail and log in and use screensaver etc so I don't know how many of you are actually like smart card developers out here but for those of you that aren't and that just want to know what to do to get smart card support in your applications well either you you basically do what we've been telling you to do for the past four years use our high-level crypto API and if you're using a cdsa like I said you'll have to be aware of the new CSP dl that's there and you'll the normal way to do this using cdsa is using the module directory services to discover which modules are available on the system up until Panther we've only shipped one module of each type in Tiger will start introducing multiple modules of different types so you'll have to scan the directory service the module directory service to figure out which modules are there if you're programming at the CTSA level if you're programming at the SEC API level so sec certificates that keychain items set key etc don't have to worry about this if you're using secure transport it'll just work using see if network or WebKit of this work so you're set your application will automatically support smart cards so for more information and if you want to talk to us please contact craig Keithley and with that I'd like to bring Craig on stage and he's the security and I Oh technology evangelist