pkcs and host keys
William Ahern
william at 25thandClement.com
Fri Jan 20 04:57:15 EST 2012
On Thu, Jan 19, 2012 at 06:20:15PM +0100, Jean-Michel Pour? - GOOZE wrote:
> Dear Damien Miller and friends,
>
> > No, I haven't started working on it yet for lack of smartcard
> > hardware.
> > I (or someone else) will probably get around to it sooner or later,
> > but
> > it will go quicker if I can get a supported USB smartcard on OpenBSD.
>
> GOOZE would be glad to support such a project donating 10 ePass2003 to
> interested OpenSSH developers.
>
> The ePass2003 is fully supported under GNU/Linux, FreeBSD and Windows:
> http://www.gooze.eu/epass-2003
>
The OpenSC stack is horrendously ugly, for various reasons. I've never been
able to get it to work (with three different cards), and apparently neither
has Apple, who attempted to integrate it but failed (I've never been able to
get a smart card to work in OS X).
In my opinion (not that anyone should care), I'd say that the best bang for
a developer's buck would be to only support smartcards that follow the
Personal Identity Verification (PIV) NIST standard, which specifies the wire
protocol for basic crypto operations like signing, etc. All new US
government crypto tokens must support this, AFAIU, and it's becoming quite
common.
Does the ePass2003 support PIV?
More information about the openssh-unix-dev
mailing list