Smart Card Minidriver vs. NIST Identity Device and ES future

[bluikko]

Looking at https://forum.yubico.com/viewtopic.php?f=25&t=2764 there has been a massive change in how YK PIV functionality can work.

Am I mistaken in thinking that the Minidriver makes EnrollmentStation (ES) more or less redundant? Are there some functions in ES that the are missing from the native Windows functionality leveraging the Minidriver?

Does this mean the ES, that has not seen a release in a year, will be getting even less development?

Pushing out the Minidriver through Windows Updates surprised us, bad, and I think we cannot move to use it because we use the YK PIV functionality in macOS as well. I understood if you go the Minidriver way and re-enroll the YK, it cannot be used under macOS/OpenSC? These non-ES-related questions I shall put to the official YK forum as well.

Edit: the aforementioned forum link totally does not even mention ES. Is this product/workflow actually still officially supported by YubiCo??

[Genbox]

This project was intended to fill the gap between Yubikeys and smart card deployment on Windows Active Directory networks using an Enroll-on-behalf-of (EOBO) method. Yubico already had guides that showed how to use their tool to let users enrol their own keys, but did not support the EOBO which is often used in larger companies.

Windows has EOBO in its certificate snap-in, but it required the minidriver which is a PKCS#11 driver that works with Microsoft CAPI. With the minidriver you don't have to use this application and can instead start using or migrate to other existing EOBO solutions.

This project is not part of Yubico and we created it to fill a gap in our own infrastructure but decided it could help others too, so we made it open source. We consider the project feature complete as-is.

[bluikko]

Yubico did produce official documentation referring to ES. Thanks for clarifying the exact status.

ES has several bugs still, but I could agree it is feature complete, and those bugs are mostly annoyances. Lack of some features is also not a show-stopper.

The issue with the Minidriver, as good as features it has, is that there is no support for OpenSC on macOS based on what Yubico has stated on forums.

So I would imagine ES will continue to be the only workflow for environments with more than just Windows.

[Genbox]

Certificates placed on a Yubikey by ES should be identical to any other system. The ES tool is simply asking a Windows Certificate Authority service connected to Active Directory for a certificate and then use Yubico's own libraries to place the certificate in the right slot.

The minidriver is simply a small piece of code that makes it possible for native OS to talk with the Yubikey directly (instead of using Yubico's libraries as we are).

Did Yubico release drivers for Mac OS that stopped certificate login from working?

[bluikko]

But the minidriver, to my knowledge, somehow "does away" with the slots. It allows to store multiple certificates for authentication, technically the format of storing the certificates has changed to some "container" based structure. Or something.

I do not know about macOS - I am trying to find out. Yubico forum postings have indicated that once the minidriver is used (and certificate store on the YK migrated to the new style), it would not work on any other OS or any other way than with the currently Windows-only minidriver.