[PATCH] Enabling ECDSA in PKCS#11 support for ssh-agent

Mathias Brossard mathias at brossard.org
Thu Dec 21 11:42:00 AEDT 2017


Two years ago I submitted a patch (
https://bugzilla.mindrot.org/show_bug.cgi?id=2474) to enable ECDSA in
PKCS#11 support for ssh-agent. During this time:
- The value of 2FA has become increasingly visible, and is sometimes even
mandated by regulations. 2FA tokens that can store asymmetric keys are more
readily available.
- The ROCA vulnerability impacting millions of smartcards for RSA key
generation. Cryptographic algorithm agility is a good thing, and can help
to work-around those kind of issues.
- Many people, in the ticket, the mailing-list or privately to me, have
showed an interest in the patch, several of them expressing a desire to
help. I got test results, bug reports, improvements requests and patches.

ECDSA is not perfect but in the context of SSH with secure elements, the
signature is faster and smaller than RSA at similar security levels. Some
of my fellow contributors have asked what we can do to help this get merged
upstream. Except tracking new releases and possible additional issues
encountered in test, I think at this point we can't do a lot more on our
own. We would welcome additional feedback, in particular from maintainers.

Mathias Brossard

More information about the openssh-unix-dev mailing list