WWDC2004 Session 101

Transcript

Kind: captions
Language: en
I guess I go over here
there we go all right I came here to
talk about certificates in Mac OS 10 and
certificate management and so this
session covers the usage of certificates
and the way certificates are used and as
well as keys and a lot of times people
are talking about certificates they
actually mean certificates and keys that
the whole sum of things certificates
keys and trust management etc is often
referred to as a public key
infrastructure or pki so I'll be
referring to it by that acronym if you
may so different kinds of applications
use pki for different things the most
common use is to identify a person or
party on the other end of a connection
and determine determine who they are and
set up a secured or authenticated or
encrypted transaction with that other
party some examples of applications that
use pki would be on Mac OS 10 today our
mail mail uses since Panther mail
support for s/mime which lets you send
encrypted and sign email to people on
both Macs and windows and what every
other operating system out there that
has s/mime support mail also uses pki
for its SSL support which you would use
if you were you if you were connecting
to a secured imap server or a secure
smtp server Safari uses a pki for SSL
both for determining the identity of the
remote server you're connecting to so if
you're connecting to you know your
online banking website it uses this the
pki infrastructure on the system to
determine that that site you're
connecting to really is your bank and in
tamper we also support clients I defend
occasion which Safari also uses to
authentic can use to authenticate the
user to the bank or to the other sites
you're connecting to what that might be
using public private keys and
certificates another example is VPN
which is on top of IPSec and I'd be
stuck uses for its security associations
can use certificates and PGI
infrastructure and another one that some
of you may or may not know is that
actually File Vault although it uses
passwords for the normal operation the
the way the master password for
filevault is implemented which means if
you create a file vault image on the
system what actually happens is the
first time you do that it sets with the
master password which contains which is
a key chain that contains a certificate
and a private key and from then on you
don't actually need that master password
to create new images because the public
key is readily available so anyone who
creates a new file vault image after
that can allow that solve old image to
be unlocked with the private key without
actually having access to the private
key so some of the things you'll learn
we'll start with the pki review and I'll
try and explain a little bit just a
Dewey high level view of what public key
cryptography is and what certificates
are then I'll go over our new PGI
related api's and we have a few I mean
we had a lot of API is already in
Panther so we haven't added a whole lot
but we've had some requests for some new
things and we've we've listened to you
guys when we've added that then there's
some improved and some new PTI's views
that we'll we'll show you we'll talk a
little bit about keychain access and use
urban security and what some of the new
things have been going on with those are
and we'll talk about root certificates
and how mac OS 10 determines whether or
not a root certificate is trusted and
I'll explain why that's important later
on and something else will be talking
about which unfortunately this didn't
make it to your CDs but we're working
very very hard to get smart card support
into tiger and there will be fully
integrated smart card stored in tiger
so and smart cards will be just like
keychains so as you when we get to that
portion now doing a little more detail
about that and I'll also talk shortly
about what it would take for if any of
you are cas or representatives of CAS to
get your root certificates included into
either new version of Mac OS 10 or
software updates I have to get closer I
guess there we go so here's the pki
review so what is public key
cryptography I don't know raise your
hands how many of you need this
explanation or is everyone here security
experts so I'll do this kind of quick
since there's only a few people that
don't really know so public key
cryptography works by you generate a
pair of keys a public key and a private
key now the public key can be shared
with anyone out there and doesn't
contain any secret information the
private key is is the corresponds to a
particular public key and you need to
keep that private key secret the private
key is kept secret by the owner of that
key on his machine or on a smart card or
some other token public keys can be used
to verify signatures so if someone finds
something with a private key you can
verify what was signed with the public
key and private keys can be used to
decrypt data that was encoded with the
public key so if someone else has your
public key they can sign send you an
encrypted message that you and only you
can decrypt but by itself public private
keys are it's a really cool technology
but the problem is how do you know who
particular public Keeble arms to and I
have to go back
right well the way we do that on Mac OS
10 and there are other solutions out
there but the way the most of the
industry is adopted is excellent 509
certificates and when an x.509
certificate does is it binds a public
key to other forms of identification and
in addition it's certified by a third
party so it produces a binding of your
public key to some attributes about the
owner of that public / private key pair
and there's some other third-party that
actually asserts that that binding is
correct or valid well what's in a
certificate well obviously the public
key because that's what we're trying to
bind to this other information then
there's a number of attributes those
attributes when athletes are there's the
issuer the issuer actually refers to the
certificate that certifies this
particular certificate or the authority
that has issued this certificate then
there's a subject which is a description
of the owner of that certificate or the
key in that certificate both the issuer
and subject are X dot 500 names which if
you don't know what that means it's
basically like an LDAP distinguished
name type of record I mean it's actually
a superset of an LDAP name but it's it's
similar to that so it'll have things
like this common name and an
organization and you can add all kinds
of different fields to it and it's
really up to the issuer of the
certificate to decide which fields they
want to certify in a certificate and
then there's a validity period in a
certificate which tells you from when to
when that certificate is valid in
addition x.509 certificates as a version
two or three or two and three can
contain one or more extensions
extensions are arbitrary things that can
be added to certificates now there's a
number of the extensions defined out
there and the number of that are
commonly in use some of them would be a
key usage policy
engine or there's an extended key usage
policy extension as well which tells you
well this this certificate only be used
to sign things rather than to encrypt
things or this can only be used for
email or this can only be used for a
website etc and there can be policy
statements included in certificates
which might contain a URL referring to a
website telling you you know what it
means what the fact that this authority
has issued the certificate really means
or what the guarantees are that they
give you etc extensions fall into two
categories there's a flag on an
extension they're critical and
non-critical extensions non-critical
extensions you're allowed to ignore it's
an application is processing a
certificate and it doesn't understand
that extension it's okay to ignore it if
an extension is marked critical then you
must understand what that extension
means or else you should just not treat
not use that certificate in your
application they're very few extensions
that are actually marked critical in
certificates usually the ones that are
are crucial to the usage of that cert
and then finally there's a signature of
all of the above information included in
the search and the signature is using
the private key of the issuer now since
the certificate has an issuer there's
essentially a hierarchy you can have a
hierarchy from you know certificate
issued by some other certificate and
that certificate in turn is issued by
another certificate the nice thing about
certificates being signed is that they
can't be tampered with if you have a
certificate you can verify its validity
and you can verify the issuer
certificates validity and you can keep
going up this chain so we call the
certificates at the bottom leaf
certificates and the certificates that
finally certificates intermediate
certificates now eventually that chain
has to end and that happens when you get
a certificate for which the issuer is
the certificate itself and we call that
a ridge certificate or a self-signed
certificate and the only way you can
determine whether or not a root
certificate is trusted is by prior
arrangement
so in summary here's an example of a
cert issued to Ken issued by some other
Authority there's there's no real limit
on how long a chain can be although
there are extensions in certificates
which can limit the length of the chain
so as a root certificate could limit the
length of a chain to two or three
certificates or depending on what that's
just get Authority wants to allow but so
typically in applications validating a
certificate will follow the chain from
the leaf certificate back to a root
certificate so root certificates are
also known as certificate authorities
and some there's there's a number of
different certificate authorities that
we ship I think as of 10 3 4 they're
about 84 certificate authorities in the
file mentioned below system library
keychains x509 anchors you can actually
manually add certificates to that file
by if you have a root certificate on
your desktop or somewhere in the finder
and you double click it it'll launch
keychain access and keychain access will
allow you to add it to the x.509 anchors
database so if for example you work at a
university or some institution that has
their own certificate authority it
doesn't use one of the 84 that we
already include you could download that
certificate authority certificate to
your machine and after verifying that it
is the correct certificate you could add
it to your keychain on your system and
from then on any app on Mac OS 10 will
trust certificates signed by that
authority
so certificates are only half the story
of course and I sort of alluded to the
shoot earlier certificates contain the
public key but for you to be able to do
something with the certificate you also
need a place to store the private key
and certificates because of because the
fact that they're signed and they don't
contain any secret information there's
no real problem storing them you could
store them anywhere you can store them
on an ldap server you could store them
you know as file on your desktop you
could download them from a website etc
because you can always verify their
their correctness and there's nothing in
there that you need to keep secret from
anyone else now if you take the
certificate and its corresponding
private key where corresponding is the
basically the private key that belongs
to the public key and the certificate we
refer to the combination of those two as
an identity and in our API there's
actually a sec identity ref object which
represents the combination of a
certificate and the private key now
typically in key can access an identity
looks like something like this you'd
have a public a private key and a
certificate that are paired together
some examples of some applications and
what they do so mail like I said uses
the s/mime api's for encrypted and
signed mail uses ssl to receive mail
from a secured imap server or from a
secure smtp server and again in mail you
can actually view the certificates if
there's something wrong with the
connection etc some of the it's
delivered in Panther I think the mail
team is actually working on some
improvements and with some of the stuff
ken is going to demo to you later you'll
actually see some of the new UI we have
that will be integrated into mail as
well secure transport something's been
around for since OS 9 I think or in some
form since I was 9 he is used both by a
safari and mail for SSL and TLS it
supports you know every variant of SSL
v1 v2 v3 TLS and auto negotiates between
all of them
since the 10 dot 323 update we also
support clients itís indication and
because secure transport supports it
then every app that uses secure
transport actually gets us for free now
see if Network uses to gear transport
under the hood so guess what every app
that uses see if network also gets these
features for free and like when we add
smart card support every app using CF
network or web kit which uses CF network
will also get smart card support for
free so now to talk a little bit about
the new AP is there really only are two
completely new AP is and they are sexy
keychain item import and SEC teaching
item export what they allow you to do is
to import and export certificates and
keys to and from keychains and we
support variety of formats pretty much
everything out there we could find that
we thought would be needed by anyone is
in there so we can export to raw openssl
with with PEM ascii armor or without
support picus of 7 pkcs12 you can even
import and export ssh keys so if you had
an ssh key you could import that to your
keychain or store it on a smart card
take it to another machine and use that
ssh key there and there's a some
additional formats that you can you can
store either individual items and some
of the formats allow you to store
multiple items the import function
actually can auto detect the type of
content that you're importing from so if
you're writing an application and you're
trying to allow you know importing of
arbitrary things you could just call
import with pretty much all wildcard
parameters and it'll figure out what the
format of the input data is or if you
want to specifically limit it to pkcs12
you can you can do that so here's a
little synopsis of what the calls look
like the pretty basic set kitchen item
export you pass it an array of items
which are all kitchen items which could
be either certificates or keys or some
combination thereof then the format in
which you want the items exported
which would be SSL or Pikachu 12 or
whatnot then there's some flags which
example of flag would be whether or not
you want it base64 encoded or PEM armor
encoded if you're exporting keys you
have you passed a pointer to instruct
with key params which contains some
additional details about what things you
want to do with the keys and then the
last parameter is the you get of the
result which contains basically a CF
data containing the exported items now
this may or may not work if you're
exporting say keys from a smart card if
the smart card doesn't allow you to
export the key it won't work obviously
but given that the permissions are
correct the export will work now if
you're exporting a key from a keychain
typically because keychains have access
control lists the user will be prompted
with some kind of dialogue asking him
for permission to export that key import
looks pretty similar it has a couple
more parameters because it has it's a
little bit more complicated the first
rounder is the data which is going to
see if data containing the big blob of
information you want to import then
there's a filename parameter which is
optional but that can be a hint if you
don't know what the format is that you
specify the filename the import function
will use the extension of the file name
to guess what the format might be then
there's a format parameter which is both
input and output which could be because
of 12 or SSL or whatever the format is
that you that you think the data is in
and on successful completion that'll
actually contain the format that the
data really was then there's an item
type which is both input and outputs
that can be hint you could say oh this
is a certificate or this is a key or I
don't know and on completion the item
type will say well this was a
certificate or this was actually a
combination of multiple items or this
was a single key and then some flags and
flags can again be things like whether
or not it's a ski armored
[Music]
on import you have this pointer to keep
around again if you're expecting to
import Keys things in there for input
would be like what the permissions you'd
want on those keys to be after they've
been imported etc then you can obviously
specify keychain which to import the
items to and you can also optionally
specify a output array in which it'll
return the items that were imported so
how do you import export items well on
the developer CD you have today keychain
access lets you do it there's an import
menu and there's an export menu in file
so you can just go to teach and access
and do it right there there's also a
command-line tool user bin security
which has an import and an export
command and there's actually help built
in to use your food security is also a
man page so user been security will let
you do it and then in addition to that
you could use the api's that i just
explained if these these two options
aren't good enough there's a
documentation I don't think there's
documentation on the WWE our site yet
but there is explicit comments in the
SEC import expert H header in the
security framework so if you want to
take a look that's on your CDs that you
received yesterday or monday so here's
an example of how you use the command
line tool so in terminal if you wanted
to export all the certificates from your
login keychain in pem format for example
as a p case of seven law you'd say
security export well what it says there
so with that I'd like Kim to come up and
show you how to do the same thing in
keychain access and he'll show you some
other things as well
can I have let the handoff thanks
Michael can we have the demo on screen
Thank I'd like to start by showing you
some of the new additions that are in
progress to the keychain access utility
you've had a chance to fire this up off
of your tiger preview you notice it
looks a little bit different than the
one that's in 10 dot 3 one of the first
things you might notice is there are now
categories over here on the left-hand
side so instead of looking at all the
items in my keychain i can just look at
my passwords or just my certificates or
keys but when you've been using the
keychain for a while and i've been using
mail and I've built up an awful lot of
certificates here and it's kind of hard
to find them so we've also added a
search feature so I can look for if i'm
going to send mail to murph i can just
type in verse name here and there's no
sir i can look at it sir maybe I want to
see like where all the fought certs are
so i'll type in the thought and you know
that it's returning the certificates
that it finds across all the key chains
so i have a copy here and one of my key
chains and i have the other ones that
are in the the anchors database so let
me look for stuff that contains my name
here and i got some of my stuff i have
the certificate here and i have my
private key and as Michael pointed out
those combination of things make up my
pki identity so I can take advantage of
that new API that he talked about set
keychain item export just by going to
the export menu here and keychain access
so I'll select that and let's make a
file called chem pki and I have some
options here I can export things as a
cert as Pam armor what I want when i'm
exporting my private key is to put it in
a p12 file or personal information
exchange which is actually encrypted so
I'll go ahead and save that it asked me
for a password
you actually encrypt that file so I'll
give it a few / secure password here go
ahead and say okay so we look out here
and it's created a p12 file and that's a
standard format for information exchange
that could be read by something like
Mozilla can be read on other platforms I
can copy this over to my windows box and
import it there let's double click it
and import it into a different key chain
here so I double click it it brings up
keychain access and ask me where I want
to add it let me add it to my login
keychain and of course I have to enter
that password again which decrypts the
file I'll go back over here is the login
keychain and I see that it's added those
things from the p12 file and I can look
at it and sure enough it's my
certificate and my key so let me tell
you a little bit about this certificate
view the keychain access is showing you
it's a Coco view and it's reusable it's
called SF certificate view now you have
some flexibility with this view keychain
access here is just showing a kind of a
summary view with the essential
information about the certificate the
name and who issued it but I can also
open it up and get a different instance
of that SF certificate view that shows
me a lot more information shows me all
the things that are inside the cert and
I can choose to disclose or hide the
details and some of the trust settings
all these things are controlled program
programmatically so your application can
use this view and decide to show just a
brief summary view or the entire
contents of a certificate so let me show
you another example of how you might use
that view in an application this is the
mini browser which is a little sample
application that comes with WebKit to
show you and demonstrate WebKit I
because it's WebKit it is built on top
as Michael said built on top of CF
network and
and secure transport so you get all
these things for free like HTTPS I can
go to a site that uses ssl and this all
just works with WebKit so let me go to
the store here let's see if that will
work unfortunately the little button i
added is not showing up so i think that
the demo gods are not smiling at me
today let me try going to a different
site here which is the University of
Washington has a web page and not to
sing 11 out in particular but they're an
example of a site whose root certificate
is not part of the default set that is
in the x.509 anchors file and is trusted
by default with mac OS 10 so normally
you would have to go and add that
certificate out-of-band so we have a new
view a pki view called SF certificate
trust panel and what i've done is i've
gotten a certificate and i've put up
this panel with some text as I supplied
and it's basically asking me for
permission because it could not verify
the certificate chain and this panel has
some features I can go ahead and
disclose the certificates that are
involved and I look at it and I see yes
this is the site at wha to the
University of Washington and it's signed
by their root certificate we've got an
option here as I said normally the way
that you would go and trust this
certificate is out of bounds by having
to add the certificate in 2x11 I anchors
this isn't quite working yet but we're
working on a way to actually bring that
process in band a little bit for the
user so they can just say go ahead and
remember that I said to trust this so I
can click continue and it goes ahead and
loads that page so let me show you just
real quickly what it took to implement
that in this mini browser I just went
and added a function or a method here to
the sample document called evaluate
trust and the first thing evaluate trust
does
is it makes a sex trust object by
calling sec trust create with
certificates so i take those server
certs that I got back from the making
the connection and I make a sec trust
object which kind of encapsulate all of
that information the policy that I'm
interested in which is FSL and then the
next thing I do is evaluate it by
calling sect trust evaluate and that
will go off do all of the searching for
the root cert of any other certs in the
chain that it can find does the
cryptographic evaluation and returns a
result and that results the interesting
thing there are a number of them I can
have explicitly denied or explicitly
allowed the certificate in advance but
the interesting error that returns is a
recoverable trust failure and those are
cases where for example the root
certificate is expired or it's not
present in the x.509 anchorage database
but this is something that you can go
ahead and override you can ask the user
what to do so my method here asks the
user what to do it puts up a message
about many browser being unable to
verify and then it creates an instance
of this view SF certificate trust panel
I set up the title of a button you have
complete control over the message and
the titles of the buttons that appear
and then I just put up a sheet on the
window asking the user what to do with a
selector that will get called when they
dismiss it that will go ahead and either
load the page or not load the page and
that's it that's all the code I had to
add to get that working so if I could
have the the other slides back for a
moment could we switch to think
I probably have to move over here and
make it work yep so there are three
views that i showed you that's a
certificate view being the base one the
kind of building block one and then
certificate panel that's built on top of
that the thing we just looked at was the
SF certificate trust panel which lets
the user make a decision about trust one
that they did not show you was the
choose identity panel which lets you
pick from multiple pki identities and
I'll get into that in a minute all of
these are cocoa classes that have been
available since 10.3 but we're adding
new functions adding methods and
improving the functionality and also
improving the look of them so that they
have features like progressive
disclosure where you're not pummeling
the user with all the information and a
certificate right away but it's there if
they need to look at it here's an
example of the one in the front there is
the SF certificate trust panel and this
is just a sample use in Safari where it
would put up a message you'd have the
option to show the certificates involved
and then to continue with the operation
or two to cancel so if the certificate
view is pretty flexible you can just
show a summary view with the basic
information the name of the cert you can
add programmatically little turn down
triangles that progressively show you
more and more detail and another thing
that I missed but you can actually grab
hold of that serve in the view and
directly export it where you can drag it
to the finder to directly export a
certificate file you can drag it to a
mail message to export either in pem
armor or not the certificate and it
gives you a lot of flexibility that's
all built into the view you get that for
free the SF certificate panel is used in
cases where you just want to show
certificates without necessarily needing
the user to make a decision so it's for
informational purposes
once the operations taken place for
example maybe you've got a website like
we saw there where the operation was
successful the certificate chain
verified but you actually want to be
able to see that and know what
certificates were involved you can
choose to display just one certificate
or the entire chain and you can also add
certificates that aren't part of the
chain when you're showing that view
there is a standalone interface to that
panel or you can have a sheet interface
as we saw in the demo now the SF
certificate trust panel is the one that
you'll want to use when you need to make
a trust decision you don't have enough
information the certificate chain was
not necessarily valid or maybe one of
the certificates expired there was some
problem with it and you want to ask the
user what to do so this panel does all
of the hard work and the heavy lifting
for you as far as showing you the
certificates and giving you the tools to
be able to ask the user what to do again
like the previous panel it comes in a
standalone panel or in a sheet interface
version and you have complete control
over what text shows up and what the
buttons look like the SS choose identity
panel is one that they didn't show but
very similar to those in that if you
need to select from multiple identities
and this is happening more and more for
example users have maybe a free email
certificate and then the university or
the company or some institution will
also issue them a certificate and so
they could be signing or encrypting
things with they have a choice of keys
and certificates to do that with so we
provide you a panel that you can bring
up and to display the available
identities and to ask the user to pick
one and then it returns the identity
that they chose again with progressive
disclosure so you see the names of the
identities and then the user can choose
to show all the details or some of them
again it's a standalone version or sheet
and you have control over what
buttons look like so with that I'd like
to ask my it will come back up and he
will tell you a little bit more about
the x.509 anchors and how their trusted
thank you Ken okay so I talked a little
earlier about there's the x.509 anchors
file on Mac os10 which determines which
contains all the root certificates that
are trusted by the system we've actually
started doing some software updates to
that file and we've been very careful
when we did the software update to make
sure we didn't just overwrite the
anchors database but we add the new
anchors that we've gotten approval for
to that file without blowing away any
anchors that you might have added
yourself and that's also true when you
upgrade from pan through the tiger it'll
it'll preserve the anchors database on
your system now which wasn't true going
from Jaguar to Panther so we'd really
like you to talk to us if your a/ca or
if you somehow want to get your research
into the system about getting them added
to mac OS 10 and the person to talk to
would be Craig Keithley and I'll put his
contact information up at the end of the
session one thing I forgot to mention
earlier on in the session was that mail
uses the SM I'm api's sorry the SF I'm
SP is and the reason of the s- left
still SBI is because we really haven't
haven't gotten a lot of feedback from
developers asking us to make apps my man
API if you're a developer of a mail
client and you want to see us might
become an API i encourage you to bring
that information to the feedback forum
so next up smart cards but i promised in
the beginning smart card support in OS
10 there's some good news and there's
some bad news the good news is we're
actually going to be doing something
revolutionary here compared to any other
platform the smart card support that
will be no s10 will it'll be horizontal
smart card sport it will be across the
entire
RLS supported for you can use the same
smart card to login to authorize access
to you know certain settings in system
preferences use it in mail use it in
Safari you can use it to for your
screensaver it could be used in a server
to to store server server keys or
certificates on any apps using CSA or CD
essay based api's meaning the keychain
api's the secure transport api's or any
higher level api's will will benefit
from this and will have single sign-on
with a smart card so you can you've
entered the smart card enter your PIN
ones to login and you won't have to re
enter your PIN every time you do
something with the card unless you
choose to because you'll actually be
able to set access control list entries
on that card which the security
architecture will actually fan out
access to that card to multiple
applications and gate access to it using
access control lists previously on Mac
OS 10 we've only really had a few select
vertical smart card solutions that were
based on PCs see our new architectures
still based on PCs see that the
differences we're actually sharing
access to the card pcsc didn't give you
any abstraction that let you support
multiple cards it just abstracted
basically the reader so you plug in a
USB reader and PCs you would deal with
loading a driver for that but if you had
three different cards you'd have to have
three different libraries in your
application to talk to those three
different cards that's all over that
will all be over when Tiger ships so
here's an overview of what the
architecture looks like and on the top
the green box there is the applications
I guess we don't get a cursor here so
well the green box on the top are your
applications which are either sitting on
top of the sect api's or secure
transport or CF network or WebKit or
whatnot
which in turn is layered on top of cdsa
which is cssm is the API part of cdsa
that sits on top of a new plug-in module
that that's going to be in Tiger which
is the cs the SD cSPD l-sb stands for
security d security d is what used to be
called security server in panther we've
renamed it to security d in tiger so the
SDC s PDL actually represents a CSP
which stands for cryptographic service
provider and dl which is a data store
library module you can think of the CSP
part as anything to do with cryptography
encryption decryption signing verify all
that goes through the CSP part the DL
part is anything to do with finding
items or records or modifying items or
records so searching for certificate or
a key happens through the DL interface
using that key to actually do something
goes through the CSP interface so if
your app was actually written directly
to cssm which I doubt very few of your
applications will be I think you'll have
to blow you'll have to actually modify
our app to be aware of the new smart
card CSP dl if your app is using any of
the higher level API is it won't require
any changes then security be actually
talks to pcs CD now the only
communication really between security DM
pcs CD is that security watches for
token insertion events PCF CD tracks the
readers on your system so if you plug in
a USB reader it'll notify security of
that and security will say ok fine
whatever when you actually insert a
smart card into one of those readers pc
CD will notify security when that
happens security will try and get a code
off the smart card to try and identify
that card based on that it'll narrow
down to a selection of one or more
different token d instances that are on
the system so each token d that that is
on the system can be seen as a driver
for a particular token and token being a
smart
heart so each token d supports a
particular class of tokens so you can
have 14 cards of manufacture a another
14 cards for manufacturer be etc so
security woman launched the ones that
are candidates for that card and asked
them to to tell security whether or not
they support that particular card that
these are just inserted and when it
finds the one that actually supports the
card it'll keep that loaded and token de
will establish a session to the card so
inside token d it looks kind of like
this token d itself uses pcsc to talk to
the card so the pcc framework which is
unchanged from panther pretty much the
framework at the top security token d
framework for tiger is still going to be
an spi but we encourage any anyone who
wants to develop their own smart card
solutions to come and talk to us either
after this session or during the
feedback forum or contact craig because
we can probably see you with something
to get you started on developing your
own token d and we might even be able to
do something where we can ship support
for additional cards and tiger initially
we want to support three or four
different cards but the idea is that all
you have to do is drop a new token d on
the system for a new card type and the
card will be supported by any app that
uses these api s so the piece in the
middle is the actual guts of token d and
really the one we're shipping is called
token d muscle which if any of you are
familiar with the muscle card api which
is something we ship they'll support
three or four different types of cards
that have been formatted in a certain
way one card in particular that will be
supported is the CAC card that the u.s.
government uses and there's a couple
other cards that will be supported as
well so here would be an example of a
third-party token d so you haven't you
know that you might have noticed you
haven't seen pika social Evan anywhere
in this architecture well that's cuz
it's really piqued assess 11 is really
not an abstract
layer it's more in a library layer to
talk to one particular card so if you
had a peek assist 11 library to talk to
your brand of card already it would take
very little work basically the part in
your token d would be the only code you
have to write because you already have
the peak assist 11 driver that uses the
PCF see framework on Mac OS 10 and you
just have to write a little bit of glue
code to transition from the token d
interface to security d down to pekin /
11 those two interfaces are actually
fairly similar the security token the
interface is somewhat closer to cdsa
than PICUs 11 but they have very similar
sets of calls and one of the things
we're looking at doing in the future is
actually making the your token d-box be
part of security token d meaning that if
you already had a peek yourself 11
driver you might not have to write any
code to provide a token d although
they'll probably be a little bit still
because the auto-discovery that we're
doing is not something picus 11 supports
so here's the bath units or at least
potential bad news there are a couple of
existing smart card solutions out there
now all those existing smart card
solutions were vertical solutions in
that you had you know one or two
applications that knew how to load the
driver for a particular card and talk to
that particular card or cards the
problem is with the new architecture
because we're doing single sign on as
soon as we ship a token d that supports
that card it'll automatically get loaded
when the cards inserted and it will open
a session to the card now if the card is
single session that means that your
vertical app will not be able to coexist
with the token D on the system because
the card doesn't support to even though
pcsc will let you do it the card won't
support two apps directly accessing it
apps written to the higher-level api's
will because the whole reason we're
doing this architecture is to have cards
that that can only do one session still
be capable of being shared between
multiple applications at the same time
if this is really really a big problem
for you
we'd really like to hear this at the
feedback form because we have some ideas
of things we can do to potentially get
around this but you would lose a single
sign-on when you insert your card when
you launch your vertical app basically
so but obviously the best thing to do is
to transition these apps to the new
architecture and tiger because then you
get support in mail and Safari and
everything and not just in that one app
so in particular the cat cards and other
cards supported by muscle will be
supported natively in tiger so we'll
have this problem because I don't think
any of those cards are multi-session so
and again talk to us about adding
support for other types of cards into OS
10 because I mean wouldn't it be cool if
you could use safari to do your client
side off with you know your custom card
that you're using and mail to send
secure mail and log in and use
screensaver etc so I don't know how many
of you are actually like smart card
developers out here but for those of you
that aren't and that just want to know
what to do to get smart card support in
your applications well either you you
basically do what we've been telling you
to do for the past four years use our
high-level crypto API and if you're
using a cdsa like I said you'll have to
be aware of the new CSP dl that's there
and you'll the normal way to do this
using cdsa is using the module directory
services to discover which modules are
available on the system up until Panther
we've only shipped one module of each
type in Tiger will start introducing
multiple modules of different types so
you'll have to scan the directory
service the module directory service to
figure out which modules are there if
you're programming at the CTSA level if
you're programming at the SEC API level
so sec certificates that keychain items
set key etc don't have to worry about
this if you're using secure transport
it'll just work using see if network or
WebKit of this work so you're set your
application will automatically support
smart cards so for more information and
if you want to talk to us
please contact craig Keithley and with
that I'd like to bring Craig on stage
and he's the security and I Oh
technology evangelist