Re: Extension of the agent protocol for the PKCS#11 URI scheme

[Jan Pechanec <jan.pechanec%oracle.com@localhost>]

On Wed, 8 Dec 2010, Jeffrey Hutzelman wrote:

>On Wed, 2010-12-08 at 13:58 +0100, Jan Pechanec wrote:
>> 	Oracle's implementation of the X.509 part[1] 
>
>You should be aware that the referenced document is an expired
>internet-draft, and does not represent any part of the SSH protocol
>specification.  It was one proposal for adding X.509 certificate support
>to SSH, but did not end up being adopted.  In particular, you should be
>aware that the public key algorithm names mentioned in that document
>come from that portion of the namespace that is reserved for assignment
>by IANA according to the "IETF Consensus" policy, and appear in no
>registry.

	hi, I'm aware of that. However, at least 4 different 
implementations support the original draft - VanDyke, Attachmate, Roumen 
Petrov's patch to OpenSSH, and Tectia (I think). We want to be 
compatible with such implementations.

>You should take a look at draft-igoe-secsh-x509v3-06.txt, which is
>currently in IESG review and is likely to come up again for discussion
>shortly on this mailing list, due to some changes that have been
>proposed.

	I know the draft and I hope it will become an RFC soon. As far 
as I know, no implementation supports it yet. It should not be difficult 
for us to add support for it in the future.

[...]

>IIRC, the existing smartcard support doesn't use PKCS#11 at all.  The
>only implementation I've played with transmits both a reader ID (which
>is really what PKCS#11 would consider a single slot) and a key ID, so in
>fact only a single key is named.  In any case, I agree that reusing
>those messages seems like a hack, and adding new messages may be more
>appropriate.  I'd suggest doing something a bit more general, but I
>think the community has mostly settled on PKCS#11 as being the primary
>abstraction for this (which would be fine, if it didn't deal so poorly
>with dynamic changes in the number of slots).

	the original smartcard code was replaced with PKCS#11 support in 
OpenSSH 5.4. I guess you had worked with the orignal code.

[...]

>I think it's a (past) mistake to think of the agent protocol as being
>something private, rather than something for which interoperability is
>desirable and therefore for which standardization is appropriate.  I
>imagine if someone wanted to write an I-D documenting the protocol and
>setting up a registry for these values, that would be a good thing.  Not
>that I'm volunteering, mind you.

	I agree. Before that happens, I think this alias is still the 
best communication channel for such things.

	thanks for comments, Jan.

-- 
Jan Pechanec
http://blogs.sun.com/janp