OpenSC smartcard access should use raw public keys, not X.509 certificates

Alon Bar-Lev alon.barlev at
Sat Aug 2 15:13:54 EST 2008

On 8/2/08, Peter Stuge <stuge-openssh-unix-dev at> wrote:
> On Fri, Aug 01, 2008 at 06:16:01PM +0300, Alon Bar-Lev wrote:
>  > >  how do you propose for OpenSSH to be able to make use of both keys?
>  >
>  > Oh... you truly got a problem.... I understand why you discuss this
>  > now... I would recommend choosing a different smartcard.
> The problem is that this is a reality even for Cryptoflex eGate
>  users. Since it used to be the gold standard OpenSC card I would
>  appreciate a good solution for it. Granted, it has been unavailable
>  for a while, but I expect many to still have them in use.

Maybe a better solution is to implement on disk storage for public
objects which will be available as if they were on token?
This will allow the users to use their token with other
applications... We discuss here OpenSSH, but please keep in mind that
it is only one application with not-so-good smartcard support
Users would like to use Firefox, OpenVPN, PSI and other software. All
require a certificate on token.


More information about the openssh-unix-dev mailing list