Current status of PKCS#11 ECDSA support
Mathias Brossard
mathias at brossard.org
Fri Oct 20 16:05:47 AEDT 2017
On Wed, Oct 18, 2017 at 3:13 PM, Roland Bracewell Shoemaker <roland at eff.org>
wrote:
> What is the current status on work to add support for PKCS#11 ECDSA keys?
> I’ve been using a version of the patch that has been sitting around on the
> bug tracker [1] for ~2 years now without much movement and am wondering if
> this is ever going to make it into a release.
>
Hello. I'm the author of the patch. In addition to some comments in the bug
tracker, I've had several email expressing interest in the patch and/or
reporting success using it.
Is this a case of there being existing issues with that implementation
> without anyone interested in resolving them/pushing forward to get this
> patch merged or are there other extant issues that are preventing this from
> happening?
>
I think that there is some interest. I'm guessing there is a lack of
bandwidth for maintainers to review it.
As hardware based tokens are gaining popularity (not to mention things like
> the built in secure enclave like chips in many newer devices) along with
> the increase in usage of ECDSA keys this would be a really nice thing to
> have baked into mainline releases instead of having to tell people to go
> merge a random patch and build OpenSSH themselves.
>
Hey that's my patch you're talking about :). But I do agree with you it
would be nice to have it added.
If there is anything I can do to help push this along let me know!
>
I'm still interested in improving / fixing the patch to get it included.
I just uploaded a patch that applies cleanly to 7.6p1 and re-tested it with
LibreSSL 2.5.5 and OpenSSL 1.0.2l.
Sincerely,
--
Mathias Brossard
More information about the openssh-unix-dev
mailing list