OpenSSH PKCS#11merge

David Smith david.daniel.smith at gmail.com
Fri Dec 28 22:44:13 EST 2007


ping.

I've been using Alon's patch and following his arguments on this list for a 
while. I want to add my voice to say that the current opensc support should 
be completely replaced with pkcs#11 support, since it is the right way to 
handle smart cards. The use case that my organization wants is to use the TPM 
chips available in most machines as our primary smartcard mechanism, 
supporting any other card on machines that don't have TPM chips. The TPM chip 
is supported by an alternative pkcs#11 library, opencryptoki, and thus is 
unusable from applications that use opensc directly, because it's not a 
pkcs#15 card.

This is just one use-case of why having simple pkcs#11 support is much more 
valuable then opensc-only, as is written in the opensc introduction and the 
RSA pkcs#15 specification.

Alon's patch already functions parallel to the opensc support and RedHat is 
bundling it (or a similar patch, I'm not sure of the details). I would like 
this supported included mainline with all appropriate speed and importance.

Thanks,
David Smith
-- 
man perl | tail -6 | head -2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20071228/90017558/attachment.bin 


More information about the openssh-unix-dev mailing list