Jan “Zviratko” Schermer
2018-Aug-14 14:10 UTC
Why still no PKCS#11 ECC key support in OpenSSH ?
PKCS#11 support for ECC should have been integrated years ago. Let's not complicate it now, just integrate the existing patches so that people stuck with EC keys at least can use them somehow... Jan Sent from my iPhone> On 14 Aug 2018, at 17:04, Ben Lindstrom <mouring at offwriting.org> wrote: > > Wasn't there a proposal at one time to create something like AuthorizedKeysCommand for PKSC11 and other methods that required more complex backend processed so it could be externalized and OpenSSH could be simplified? > > Ben > > Damien Miller wrote: >>> On Mon, 13 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote: >>> >>> Lack of time on the Open Source projects is understandable, and not uncommon. >>> >>> However, PKCS11 has been in the codebase practically forever - the ECC >>> patches that I saw did not alter the API or such. It is especially >>> non-invasive when digital signature is concerned. >>> >>> Considering how long those patches have been sitting in the queue, and >>> the continued interest among the users - perhaps you can prioritize >>> the integration? >> >> If someone can recommend hardware and some instructions on how to >> set it up that will only improve the changes of this happening sooner. >> >> -d >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
*shrug* I would argue this is the perfect time. These patches will not end up in 7.8 as it is "feature complete." So you're at the start of the 7.9 cycle. Which is the perfect time to redesign and implement a better solution as you have a nice long haul period to get it right. Ben Jan ?Zviratko? Schermer wrote:> PKCS#11 support for ECC should have been integrated years ago. Let's not complicate it now, just integrate the existing patches so that people stuck with EC keys at least can use them somehow... > > Jan > > Sent from my iPhone > >> On 14 Aug 2018, at 17:04, Ben Lindstrom<mouring at offwriting.org> wrote: >> >> Wasn't there a proposal at one time to create something like AuthorizedKeysCommand for PKSC11 and other methods that required more complex backend processed so it could be externalized and OpenSSH could be simplified? >> >> Ben >> >> Damien Miller wrote: >>>> On Mon, 13 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote: >>>> >>>> Lack of time on the Open Source projects is understandable, and not uncommon. >>>> >>>> However, PKCS11 has been in the codebase practically forever - the ECC >>>> patches that I saw did not alter the API or such. It is especially >>>> non-invasive when digital signature is concerned. >>>> >>>> Considering how long those patches have been sitting in the queue, and >>>> the continued interest among the users - perhaps you can prioritize >>>> the integration? >>> If someone can recommend hardware and some instructions on how to >>> set it up that will only improve the changes of this happening sooner. >>> >>> -d >>> _______________________________________________ >>> openssh-unix-dev mailing list >>> openssh-unix-dev at mindrot.org >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Jan “Zviratko” Schermer
2018-Aug-14 15:12 UTC
Why still no PKCS#11 ECC key support in OpenSSH ?
You'd be right except those patches could have been in something like 6.5 already. Just merge the damp thing, THEN improve it... Sent from my iPhone> On 14 Aug 2018, at 18:09, Ben Lindstrom <mouring at offwriting.org> wrote: > > *shrug* I would argue this is the perfect time. These patches will not end up in 7.8 as it is "feature complete." So you're at the start of the 7.9 cycle. Which is the perfect time to redesign and implement a better solution as you have a nice long haul period to get it right. > > Ben > > Jan ?Zviratko? Schermer wrote: >> PKCS#11 support for ECC should have been integrated years ago. Let's not complicate it now, just integrate the existing patches so that people stuck with EC keys at least can use them somehow... >> >> Jan >> >> Sent from my iPhone >> >>> On 14 Aug 2018, at 17:04, Ben Lindstrom<mouring at offwriting.org> wrote: >>> >>> Wasn't there a proposal at one time to create something like AuthorizedKeysCommand for PKSC11 and other methods that required more complex backend processed so it could be externalized and OpenSSH could be simplified? >>> >>> Ben >>> >>> Damien Miller wrote: >>>>> On Mon, 13 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote: >>>>> >>>>> Lack of time on the Open Source projects is understandable, and not uncommon. >>>>> >>>>> However, PKCS11 has been in the codebase practically forever - the ECC >>>>> patches that I saw did not alter the API or such. It is especially >>>>> non-invasive when digital signature is concerned. >>>>> >>>>> Considering how long those patches have been sitting in the queue, and >>>>> the continued interest among the users - perhaps you can prioritize >>>>> the integration? >>>> If someone can recommend hardware and some instructions on how to >>>> set it up that will only improve the changes of this happening sooner. >>>> >>>> -d >>>> _______________________________________________ >>>> openssh-unix-dev mailing list >>>> openssh-unix-dev at mindrot.org >>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >>> _______________________________________________ >>> openssh-unix-dev mailing list >>> openssh-unix-dev at mindrot.org >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Blumenthal, Uri - 0553 - MITLL
2018-Aug-14 15:23 UTC
Why still no PKCS#11 ECC key support in OpenSSH ?
OpenSSL developers accepted that if an expected capability (such as a getter function when a setter is present) is missing, it is a bug to be fixed - not a feature to consider for a future release. In the same spirit, I'd argue that this is not a feature to be added, but a bug to be fixed: PKCS#11 is supported. RSA is supported. ECC is supported. But one combination of these is not. I say it's a bug, whose fix does not need to wait till 7.9. And if the mere application of one of the already-provided patches has been taking so long - I shudder to think how long the redesign would take (not that I really care for it). ?On 8/14/18, 11:15, "openssh-unix-dev on behalf of Ben Lindstrom" <openssh-unix-dev-bounces+uri=ll.mit.edu at mindrot.org on behalf of mouring at offwriting.org> wrote: *shrug* I would argue this is the perfect time. These patches will not end up in 7.8 as it is "feature complete." So you're at the start of the 7.9 cycle. Which is the perfect time to redesign and implement a better solution as you have a nice long haul period to get it right. Ben Jan ?Zviratko? Schermer wrote: > PKCS#11 support for ECC should have been integrated years ago. Let's not complicate it now, just integrate the existing patches so that people stuck with EC keys at least can use them somehow... > > Jan > > Sent from my iPhone > >> On 14 Aug 2018, at 17:04, Ben Lindstrom<mouring at offwriting.org> wrote: >> >> Wasn't there a proposal at one time to create something like AuthorizedKeysCommand for PKSC11 and other methods that required more complex backend processed so it could be externalized and OpenSSH could be simplified? >> >> Ben >> >> Damien Miller wrote: >>>> On Mon, 13 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote: >>>> >>>> Lack of time on the Open Source projects is understandable, and not uncommon. >>>> >>>> However, PKCS11 has been in the codebase practically forever - the ECC >>>> patches that I saw did not alter the API or such. It is especially >>>> non-invasive when digital signature is concerned. >>>> >>>> Considering how long those patches have been sitting in the queue, and >>>> the continued interest among the users - perhaps you can prioritize >>>> the integration? >>> If someone can recommend hardware and some instructions on how to >>> set it up that will only improve the changes of this happening sooner. >>> >>> -d >>> _______________________________________________ >>> openssh-unix-dev mailing list >>> openssh-unix-dev at mindrot.org >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5211 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180814/1a49900a/attachment.p7s>