OpenSC smartcard access should use raw public keys, not X.509 certificates

Alon Bar-Lev alon.barlev at
Sat Aug 2 01:16:01 EST 2008

On 8/1/08, Daniel Kahn Gillmor < at> wrote:
>  Well, for PKCS#11, you clearly are *interested* in the X.509
>  certificate, right?  In that case, it wouldn't make sense to care
>  about a bare public key (unless you had some external mechanism to
>  retrieve the relevant certificate), so you're doing the right thing in
>  that patch.  But for regular OpenSSH purposes, where X.509 is *not*
>  relevant, the bare public key is the thing that matters.

No... You you interested in making ssh work...
The PKCS#11 spec does not enforce the types of objects stored, so in
order to save space many vendors choose not to store the public key
So the minimal configuration is having private key (from which you can
extract public key) as a protected object and X.509 certificate (from
which you can extract public key) as public object.
I am hoping to push the PKCS#11 implementation forward, and then there
is no reason to keep the OpenSC specific one.

>  Help me understand: for a user whose smartcard:
>   * allows storage of two private keys, but
>   * is not capable of storing two full X.509 certificates (due to space
>    constraints), but
>   * is capable of storing one X.509 cert and one additional raw public
>    key (i'm in this situation right now),
>  how do you propose for OpenSSH to be able to make use of both keys?

Oh... you truly got a problem.... I understand why you discuss this
now... I would recommend choosing a different smartcard.


More information about the openssh-unix-dev mailing list