[RFC 1/2] Add support for openssl engine based keys

Sat Nov 4 01:34:35 AEDT 2017

         >>  Let me rephrase my question: what does using OpenSSL engines enable
         >>  that we can't already do via PKCS#11?
         >
         > It allows you to use the TPM2 as a secure key store, because there's no
         > current PKCS11 code for it.
         >
         > The essential difference is that Engine files are just that: flat files
         > where the key is stored in a form only decodeable by the engine.
         > PKCS11 tokens are supposed to be represented by tokens and slots which
         > is an active entity storing the key.  So, provided I wrap it correctly,
         > I can create a TPM representation on one system (I have to know one of
         > the hierarchy seeds on the target) transfer the file to the target
         > system and use it;…

What I don’t get is – why not transfer those keys to the target machine “somehow”, load them to the TPM there “somehow”, and then treat TPM as a PKCS#11 device?

If there’s no PKCS#11 “driver” for TPM – then that’s what needs to be added, IMHO.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20171103/323ceb30/attachment.p7s>