Re: Extension of the agent protocol for the PKCS#11 URI scheme

[Jeffrey Hutzelman <jhutz%cmu.edu@localhost>]

On Thu, 2010-12-09 at 13:00 +0100, Jan Pechanec wrote:
> On Wed, 8 Dec 2010, Jeffrey Hutzelman wrote:
> 
> >On Wed, 2010-12-08 at 13:58 +0100, Jan Pechanec wrote:
> >> 	Oracle's implementation of the X.509 part[1] 
> >
> >You should be aware that the referenced document is an expired
> >internet-draft, and does not represent any part of the SSH protocol
> >specification.  It was one proposal for adding X.509 certificate support
> >to SSH, but did not end up being adopted.  In particular, you should be
> >aware that the public key algorithm names mentioned in that document
> >come from that portion of the namespace that is reserved for assignment
> >by IANA according to the "IETF Consensus" policy, and appear in no
> >registry.
> 
> 	hi, I'm aware of that. However, at least 4 different 
> implementations support the original draft - VanDyke, Attachmate, Roumen 
> Petrov's patch to OpenSSH, and Tectia (I think). We want to be 
> compatible with such implementations.

Fair enough.

> >IIRC, the existing smartcard support doesn't use PKCS#11 at all.  The
> >only implementation I've played with transmits both a reader ID (which
> >is really what PKCS#11 would consider a single slot) and a key ID, so in
> >fact only a single key is named.  In any case, I agree that reusing
> >those messages seems like a hack, and adding new messages may be more
> >appropriate.  I'd suggest doing something a bit more general, but I
> >think the community has mostly settled on PKCS#11 as being the primary
> >abstraction for this (which would be fine, if it didn't deal so poorly
> >with dynamic changes in the number of slots).
> 
> 	the original smartcard code was replaced with PKCS#11 support in 
> OpenSSH 5.4. I guess you had worked with the orignal code.

Indeed, I wasn't aware that such progress had been made.

-- Jeff