OpenSSH PKCS#11merge
David Smith
david.daniel.smith at gmail.com
Fri Dec 28 22:44:13 EST 2007
ping.
I've been using Alon's patch and following his arguments on this list for a
while. I want to add my voice to say that the current opensc support should
be completely replaced with pkcs#11 support, since it is the right way to
handle smart cards. The use case that my organization wants is to use the TPM
chips available in most machines as our primary smartcard mechanism,
supporting any other card on machines that don't have TPM chips. The TPM chip
is supported by an alternative pkcs#11 library, opencryptoki, and thus is
unusable from applications that use opensc directly, because it's not a
pkcs#15 card.
This is just one use-case of why having simple pkcs#11 support is much more
valuable then opensc-only, as is written in the opensc introduction and the
RSA pkcs#15 specification.
Alon's patch already functions parallel to the opensc support and RedHat is
bundling it (or a similar patch, I'm not sure of the details). I would like
this supported included mainline with all appropriate speed and importance.
Thanks,
David Smith
--
man perl | tail -6 | head -2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20071228/90017558/attachment.bin
More information about the openssh-unix-dev
mailing list