On Sun, 12 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote:> Tone aside, let me second what Bob said. OpenSSH maintainers seem to > be able to find time for many updates and upgrades - but ECC support > over PKCS#11 appears to repulse them for more than two years (I don't > care to check for exactly how many more).There's no "repulsion" involved, just a lack of time coupled with a lot of unfinished work and the costs (for me at least) of ramping up on an unfamiliar API (PKCS#11). -d
On August 13, 2018 3:45 AM, Damien Miller <djm at mindrot.org> wrote:> On Sun, 12 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote: > > > Tone aside, let me second what Bob said. OpenSSH maintainers seem to > > be able to find time for many updates and upgrades - but ECC support > > over PKCS#11 appears to repulse them for more than two years (I don't > > care to check for exactly how many more). > > There's no "repulsion" involved, just a lack of time coupled with a lot > of unfinished work and the costs (for me at least) of ramping up on > an unfamiliar API (PKCS#11). > > -d >Thanks for the insight Damian. Could you at least consider bumping up the priority level (its currently sitting there as a P5 in the back of the queue) ? I fear otherwise it could easily continue festering at the back of the cupboard for another few years! Thanks Bob
Blumenthal, Uri - 0553 - MITLL
2018-Aug-13 14:09 UTC
Why still no PKCS#11 ECC key support in OpenSSH ?
Lack of time on the Open Source projects is understandable, and not uncommon. However, PKCS11 has been in the codebase practically forever - the ECC patches that I saw did not alter the API or such. It is especially non-invasive when digital signature is concerned. Considering how long those patches have been sitting in the queue, and the continued interest among the users - perhaps you can prioritize the integration? Regards, Uri Sent from my iPhone> On Aug 12, 2018, at 22:46, Damien Miller <djm at mindrot.org> wrote: > >> On Sun, 12 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote: >> >> Tone aside, let me second what Bob said. OpenSSH maintainers seem to >> be able to find time for many updates and upgrades - but ECC support >> over PKCS#11 appears to repulse them for more than two years (I don't >> care to check for exactly how many more). > > There's no "repulsion" involved, just a lack of time coupled with a lot > of unfinished work and the costs (for me at least) of ramping up on > an unfamiliar API (PKCS#11). > > -d-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5801 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180813/6c278475/attachment.p7s>
On Mon, 13 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote:> Lack of time on the Open Source projects is understandable, and not uncommon. > > However, PKCS11 has been in the codebase practically forever - the ECC > patches that I saw did not alter the API or such. It is especially > non-invasive when digital signature is concerned. > > Considering how long those patches have been sitting in the queue, and > the continued interest among the users - perhaps you can prioritize > the integration?If someone can recommend hardware and some instructions on how to set it up that will only improve the changes of this happening sooner. -d
Apparently Analagous Threads
- Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.
- [Bug 2638] New: Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects
- [Bug 2635] New: Unable to use SSH Agent and user level PKCS11Provider configuration directive
- [Bug 2890] New: ssh-agent should not fail after removing and inserting smart card
- [RFC 1/2] Add support for openssl engine based keys