OpenSC smartcard access should use raw public keys, not X.509 certificates
Alon Bar-Lev
alon.barlev at gmail.com
Fri Aug 1 15:32:36 EST 2008
This is incorrect.
The public key object is not always available on smartcards.
Basic configuration is having private key + X.509 certificate on card.
This is why the PKCS#11 patch [1] also don't assume public key existence.
Alon.
[1] http://alon.barlev.googlepages.com/openssh-pkcs11
On 8/1/08, Daniel Kahn Gillmor <dkg-openssh.com at fifthhorseman.net> wrote:
> > The OpenSC smartcard framework supports access to both raw public
> > keys and X.509 certificates on crypto tokens. When OpenSSH is
> > compiled --with-opensc, it currently looks for X.509 certificates on
> > any smartcard it uses. But OpenSSH itself uses raw public keys (and
> > not X.509), so requiring the presence of an X.509 cert on the
> > smartcard is unnecessary and potentially problematic.
>
> Any word on the patch i offered to fix this problem? The original
> message can be found here:
>
> http://marc.info/?l=openssh-unix-dev&m=121394687518903&w=2
>
> I've now opened it as a bug in the mindrot bugzilla as well:
>
> https://bugzilla.mindrot.org/show_bug.cgi?id=1498
>
> The patch is a narrow one, and affects only those folks who compile
> --with-opensc. Is there anything i can do to encourage adoption of
> it?
>
> Thanks for all the great work. I'm excited about 5.1!
>
>
> --dkg
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
>
More information about the openssh-unix-dev
mailing list