openssh unix dev - Aug 2018 - Why still no PKCS#11 ECC key support in OpenSSH ?

On Sun, 12 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote:
> Tone aside, let me second what Bob said. OpenSSH maintainers seem to
> be able to find time for many updates and upgrades - but ECC support
> over PKCS#11 appears to repulse them for more than two years (I don't
> care to check for exactly how many more).
There's no "repulsion" involved, just a lack of time coupled with
a lot
of unfinished work and the costs (for me at least) of ramping up on
an unfamiliar API (PKCS#11).

-d

On August 13, 2018 3:45 AM, Damien Miller <djm at mindrot.org> wrote:
> On Sun, 12 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote:
>
> > Tone aside, let me second what Bob said. OpenSSH maintainers seem to
> > be able to find time for many updates and upgrades - but ECC support
> > over PKCS#11 appears to repulse them for more than two years (I
don't
> > care to check for exactly how many more).
>
> There's no "repulsion" involved, just a lack of time coupled
with a lot
> of unfinished work and the costs (for me at least) of ramping up on
> an unfamiliar API (PKCS#11).
>
> -d
>

Thanks for the insight Damian.

Could you at least consider bumping up the priority level (its currently sitting
there as a P5 in the back of the queue) ?  I fear otherwise it could easily
continue festering at the back of the cupboard for another few years!

Thanks

Bob

Lack of time on the Open Source projects is understandable, and not uncommon.

However, PKCS11 has been in the codebase practically forever - the ECC patches
that I saw did not alter the API or such. It is especially non-invasive when
digital signature is concerned.

Considering how long those patches have been sitting in the queue, and the
continued interest among the users - perhaps you can prioritize the integration?

Regards,
Uri

Sent from my iPhone
> On Aug 12, 2018, at 22:46, Damien Miller <djm at mindrot.org> wrote:
> 
>> On Sun, 12 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote:
>> 
>> Tone aside, let me second what Bob said. OpenSSH maintainers seem to
>> be able to find time for many updates and upgrades - but ECC support
>> over PKCS#11 appears to repulse them for more than two years (I
don't
>> care to check for exactly how many more).
> 
> There's no "repulsion" involved, just a lack of time coupled
with a lot
> of unfinished work and the costs (for me at least) of ramping up on
> an unfamiliar API (PKCS#11).
> 
> -d
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5801 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180813/6c278475/attachment.p7s>

On Mon, 13 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote:
> Lack of time on the Open Source projects is understandable, and not
uncommon.
>
> However, PKCS11 has been in the codebase practically forever - the ECC
> patches that I saw did not alter the API or such. It is especially
> non-invasive when digital signature is concerned.
>
> Considering how long those patches have been sitting in the queue, and
> the continued interest among the users - perhaps you can prioritize
> the integration?
If someone can recommend hardware and some instructions on how to
set it up that will only improve the changes of this happening sooner.

-d