[Pcsclite-muscle] OSX - Yosemite - PCSC-Lite vs CryptoToken Framework

Martin Paljak martin
Wed Feb 11 09:21:49 PST 2015


Hello,


On 11/02/15 17:32, Evans, Frazier [USA] wrote:
> So as I have read from the blogs and seen first hand with multiple Smart Card Middleware products there are some challenges with the current Smart Card direction that Apple may be taking.   I am looking for other opinions on this and if this not an appropriate forum please direct me to one.
Huge thanks to Ludovic for documenting this, because a lot of Apple
"fanboys" insist on Apple being perfect and other software being to blame :)

We have a small country (Estonia) where all osx users are affected by
this, me included (a reason I still run 10.9) and it is so much easier
to give a link with further reading than to repeat it all over.

> I am wondering if building the current PCSC-lite and CCID drivers would not solve the problems I am currently seeing with using FIPS 800-73 v 3 compliant smart cards for the near term as everyone works out their issues.  Before I head down this trail here are a couple of questions:

This really depends on your use cases. If you have dedicated
applications that need to work, having a separate stack might be useful.
If you want to integrate with OSX apps like Safari or Chrome for TSL via
Tokend, I would probably not bother

> a)      Can PCSC-Lite and the new CryptoToken Framework co-exist and function properly on Yosemite?

I don't think so, both providing a "platform service" (which PC/SC and
CT both try to do) is not a fruitful quest. I have not tried, but if you
have positive results, please write about it!


> b)      What is the downside to this approach for a user base of approximately 1000 Smart Card users on Macs?
- tongueincheek: if you have central management, maybe push virtualbox
or dualboot image ? ;)

Being realistic though: If you have 1:1 controlled environment (single
OSX version, single set of apps) it might be worthy to try to circumvent
apple and set up some machinery to have a parallel

Maybe this is one of the reasons why Google has USB support *in the
browser* and direct communication to USB, avoiding middle layers with FIDO.

Not that I'm advocating for such behemoth platforms but it obviously
confines a lot of 3rd party issues: down to hardware code in end-user
application, instead of relying on platform services.

Martin







More information about the pcsclite-muscle mailing list