[Pki-users] US Government SmartCard question
Nordgren, Bryce L -FS
bnordgren at fs.fed.us
Fri May 1 21:49:18 UTC 2015
I will start poking around to see if I can't get a dummy card. Since I'm just a lowly user it may take some wheedling.
Honestly, anything I tell you would be guesswork and hearsay. Our SAML IdP [1] talks about it like it's a PIV. The General Services Administration operates the centers where we go get them issued, and across the civilian agencies, they are known as "USAccess" credentials. [2] I really couldn't tell you whether we're compatible with DoD cards (which guesswork and hearsay leads me to believe is the source of the CAC acronym).
[1] https://www.eauth.usda.gov/Login/login.aspx
[2] http://www.gsa.gov/portal/category/27240
> -----Original Message-----
> From: Robert Relyea [mailto:rrelyea at redhat.com]
> Sent: Friday, May 01, 2015 3:26 PM
> To: John Magne; Nordgren, Bryce L -FS
> Cc: pki-users at redhat.com
> Subject: Re: [Pki-users] US Government SmartCard question
>
> On 05/01/2015 02:01 PM, John Magne wrote:
> > Bryce:
> >
> > We would most welcome a chance to try a dummy card.
> > I think we should copy Bob first to make sure there is not something
> > obvious wrong on the coolkey end.
>
> I usually insist on a dummy card because we are always making changes to
> coolkey and if I have a dummy card, I can test against that card when I
> add additional card support.
>
> BTW is this a PIV or CAC card? You meantion PIV here, but Jack was
> speaking as if this were a CAC card.
>
> bob
> >
> >
> >
> > ----- Original Message -----
> >> From: "Bryce L Nordgren -FS" <bnordgren at fs.fed.us>
> >> To: "John Magne" <jmagne at redhat.com>, rrelyea at redhat.com
> >> Cc: pki-users at redhat.com
> >> Sent: Friday, May 1, 2015 12:26:12 PM
> >> Subject: RE: [Pki-users] US Government SmartCard question
> >>
> >> Jack,
> >>
> >> I don't know the process or if it's possible yet, but would it help if I
> >> could get you guys a dummy LincPass (USDA-issued PIV smart card) with a
> >> throwaway PIN to debug with? I've often found that eliminating ignorant
> >> middlemen (me) speeds solutions along.
> >>
> >> Ideally, the card would be usable for console logins as well as our public
> >> facing SAML IdP [1]. Is there an extra step to making the card usable with
> a
> >> browser or would a coolkey fix apply to both pam_pkcs11 and the
> browser?
> >>
> >> Thanks,
> >> Bryce
> >>
> >> [1] https://www.eauth.usda.gov/Login/login.aspx
> >>
> >>> -----Original Message-----
> >>> From: John Magne [mailto:jmagne at redhat.com]
> >>> Sent: Friday, May 01, 2015 12:34 PM
> >>> To: Nordgren, Bryce L -FS
> >>> Cc: pki-users at redhat.com
> >>> Subject: Re: [Pki-users] US Government SmartCard question
> >>>
> >>> Bryce:
> >>>
> >>> Yes, that helps.
> >>> I can take a look at the code when I get a moment.
> >>> Also we might bring in Bob Relyea rrelyea at redhat.com since he is the
> >>> coolkey and coolkey/CAC guru.
> >>>
> >>>
> >>> ----- Original Message -----
> >>> From: "Bryce L Nordgren -FS" <bnordgren at fs.fed.us>
> >>> To: "John Magne" <jmagne at redhat.com>
> >>> Cc: pki-users at redhat.com
> >>> Sent: Friday, May 1, 2015 11:13:01 AM
> >>> Subject: RE: [Pki-users] US Government SmartCard question
> >>>
> >>> Hi Jack,
> >>>
> >>> I wasn't quite sure how to capture an insertion event with
> pkcs11_inspect.
> >>> It
> >>> seems to fail right away if nothing's in the reader. So I ran
> >>> "pkcs11_eventmgr
> >>> debug nodaemon" in the terminal that had the COOL_KEY_LOG_FILE
> variable
> >>> set. I also ran a pkcs11_inspect with a card already inserted. Log files
> >>> for both
> >>> runs are attached.
> >>>
> >>> It's not super verbose, but the root cause seems to be "CAC Select
> failed".
> >>>
> >>> Does this shed any light on the problem?
> >>>
> >>> Thanks,
> >>> Bryce
>
More information about the Pki-users
mailing list