Apple Deprecates CDSA & Smart Card Support in Lion

| News

Apple has elected to deprecate the Common Data Security Architecture (CDSA) in OS X Lion. By extension, this means that current Smart Card services, used by the U.S. Government and others, will also be deprecated and some necessary components will, thereby, not ship in OS X 10.7. However, customers will still be able to use Smart Card services in OS X Lion, and they’ll still have 3rd party options.

In a note to the Fed-Talk mailing list*, Apple Security Consulting Engineer Shawn Geddis explained: “With the release of OS X Lion, Smart Card Services are deprecated and will not ship as a customer functioning service. That does not mean that customers will be unable to continue to use their Smart Cards with OS X Lion. It does mean that all of the necessary components will not come pre-shipped in OS X Lion along with related support.” Briefly, the required Tokend modules will not ship with Lion along with the Authorization Mechanism.

The deprecation of CDSA was discussed at WWDC in June during Session 212, “Next Generation Cryptography.”

Mr. Geddis went on to say, “Apple’s need to deprecate what was there and focus on innovative approaches to solving the digital identity challenges on both OS X and iOS moving forward does not preclude customers from using Smart Cards on OS X 10.6 and even on 10.7. Any developer/user is expected to be able to continue to use their Smart Cards on OS X 10.6 & 10.7 as long as they have a supported Tokend for the Smart Card profile installed. This would require a non-Apple provided Installer.”

A reader familiar with the matter told TMO that equivalent solutions are available from Thursby and Centrify. As a result, customers can continue to use this technology in Lion.

Apple does these kinds of things from time to time in order to move its technology and infrastructure forward. Once Apple elected to deprecate CDSA, it would seem that continued, detailed support for the Smart Card infrastructure no longer makes sense. Government customers have several possible, viable options, and while a few might be tempted to surmise that Apple is forsaking the enterprise and government customers, Mr. Geddis’ explanations make it clear that this is not the case.

A final note: In January, 2009, Apple officially moved the already open sourced components to an organized open source project at MacOSForge.org.

______

* July 20, V8, issue 159

Comments

Keith

Check this guy’s site out.  He does free support to military users and has already come up with a work around.

http://militarycac.com/index.htm

Thanks Chief.

prl53

It would have been better if you had included other portions of Shawn’s email including the following website, http://smartcardservices.macosforge.org/trac/wiki, since this is where everything is and has been for some time. This change was mentioned at WWDC as well as the path forward for CDSA.

SemperFi

Actually Mac OS X Forge has no solution for some of the newer CAC-NG smart cards or Lion and makes explicitly clear that the code there is unsupported, ‘as is’, with non US engineering and to be used at ‘own risk’.  Many questions are unanswered for months.

MilitaryCAC.com tends to be a much more up-to-date and neutral source of information on solutions that work today.

Comments by Centrify’s own personnel on the OS X Forge site suggest they simply mirror the Forge code, bugs, issues and all.

Log-in to comment