[Pki-users] US Government SmartCard question

Robert Relyea rrelyea at redhat.com
Fri May 1 21:25:34 UTC 2015


On 05/01/2015 02:01 PM, John Magne wrote:
> Bryce:
>
> We would most welcome a chance to try a dummy card.
> I think we should copy Bob first to make sure there is not something
> obvious wrong on the coolkey end.

I usually insist on a dummy card because we are always making changes to 
coolkey and if I have a dummy card, I can test against that card when I 
add additional card support.

BTW is this a PIV or CAC card? You meantion PIV here, but Jack was 
speaking as if this were a CAC card.

bob
>
>
>
> ----- Original Message -----
>> From: "Bryce L Nordgren -FS" <bnordgren at fs.fed.us>
>> To: "John Magne" <jmagne at redhat.com>, rrelyea at redhat.com
>> Cc: pki-users at redhat.com
>> Sent: Friday, May 1, 2015 12:26:12 PM
>> Subject: RE: [Pki-users] US Government SmartCard question
>>
>> Jack,
>>
>> I don't know the process or if it's possible yet, but would it help if I
>> could get you guys a dummy LincPass (USDA-issued PIV smart card) with a
>> throwaway PIN to debug with? I've often found that eliminating ignorant
>> middlemen (me) speeds solutions along.
>>
>> Ideally, the card would be usable for console logins as well as our public
>> facing SAML IdP [1]. Is there an extra step to making the card usable with a
>> browser or would a coolkey fix apply to both pam_pkcs11 and the browser?
>>
>> Thanks,
>> Bryce
>>
>> [1] https://www.eauth.usda.gov/Login/login.aspx
>>
>>> -----Original Message-----
>>> From: John Magne [mailto:jmagne at redhat.com]
>>> Sent: Friday, May 01, 2015 12:34 PM
>>> To: Nordgren, Bryce L -FS
>>> Cc: pki-users at redhat.com
>>> Subject: Re: [Pki-users] US Government SmartCard question
>>>
>>> Bryce:
>>>
>>> Yes, that helps.
>>> I can take a look at the code when I get a moment.
>>> Also we might bring in Bob Relyea rrelyea at redhat.com since he is the
>>> coolkey and coolkey/CAC guru.
>>>
>>>
>>> ----- Original Message -----
>>> From: "Bryce L Nordgren -FS" <bnordgren at fs.fed.us>
>>> To: "John Magne" <jmagne at redhat.com>
>>> Cc: pki-users at redhat.com
>>> Sent: Friday, May 1, 2015 11:13:01 AM
>>> Subject: RE: [Pki-users] US Government SmartCard question
>>>
>>> Hi Jack,
>>>
>>> I wasn't quite sure how to capture an insertion event with pkcs11_inspect.
>>> It
>>> seems to fail right away if nothing's in the reader. So I ran
>>> "pkcs11_eventmgr
>>> debug nodaemon" in the terminal that had the COOL_KEY_LOG_FILE variable
>>> set. I also ran a pkcs11_inspect with a card already inserted. Log files
>>> for both
>>> runs are attached.
>>>
>>> It's not super verbose, but the root cause seems to be "CAC Select failed".
>>>
>>> Does this shed any light on the problem?
>>>
>>> Thanks,
>>> Bryce


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4264 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150501/42a7a958/attachment.p7s>


More information about the Pki-users mailing list