[PATCH] Enabling ECDSA in PKCS#11 support for ssh-agent

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Thu Dec 21 12:11:11 AEDT 2017

I'm disappointed that the maintainers haven't integrated ECDSA support yet, and urge to do so now.


Sent from my iPhone

> On Dec 20, 2017, at 19:48, Mathias Brossard <mathias at brossard.org> wrote:
> Hi,
> Two years ago I submitted a patch (
> https://bugzilla.mindrot.org/show_bug.cgi?id=2474) to enable ECDSA in
> PKCS#11 support for ssh-agent. During this time:
> - The value of 2FA has become increasingly visible, and is sometimes even
> mandated by regulations. 2FA tokens that can store asymmetric keys are more
> readily available.
> - The ROCA vulnerability impacting millions of smartcards for RSA key
> generation. Cryptographic algorithm agility is a good thing, and can help
> to work-around those kind of issues.
> - Many people, in the ticket, the mailing-list or privately to me, have
> showed an interest in the patch, several of them expressing a desire to
> help. I got test results, bug reports, improvements requests and patches.
> ECDSA is not perfect but in the context of SSH with secure elements, the
> signature is faster and smaller than RSA at similar security levels. Some
> of my fellow contributors have asked what we can do to help this get merged
> upstream. Except tracking new releases and possible additional issues
> encountered in test, I think at this point we can't do a lot more on our
> own. We would welcome additional feedback, in particular from maintainers.
> Sincerely,
> -- 
> Mathias Brossard
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5801 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20171221/e74d35b4/attachment.p7s>

More information about the openssh-unix-dev mailing list