[PATCH] Enabling ECDSA in PKCS#11 support for ssh-agent
Simon Josefsson
simon at josefsson.org
Fri Oct 9 07:30:16 AEDT 2015
Damien Miller <djm at mindrot.org> writes:
> On Thu, 8 Oct 2015, Douglas E Engert wrote:
>
>> Then what is:
>> 1.3.6.1.4.1.11591.15.1 Ed25519
>>
>> defined here:
>> https://www.gnu.org/prep/standards/html_node/OID-Allocations.html
>>
>> The whole idea of namedCurve was you did not have to pass in the parameters,
>> and PKIX certificates only allow namedCurve.
>
> Ed25519 is a different algorithm to ECDSA, not just a different curve.
Still it might work anyway. We noticed this with TLS and PKIX. While
EdDSA is different from "normal" ECDSA, by using a namedCurve value
corresponding to Ed25519 you tell implementations you really mean EdDSA.
This is usually enough. Then EdDSA can be used in the already existing
ECDSA umbrella. Of course, it has to be implemented and tested to iron
out any problems.
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 472 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151008/7c7097c5/attachment.bin>
More information about the openssh-unix-dev
mailing list