On Thu, 26 Feb 2015, Michael Stapelberg wrote: > Now it's great that the protocol spec is there to look at, but > it still > requires more familiarity with the rest of U2F than I have at > present. > The code as it stands also AFAIK requires an > incompatibly-licensed > helper library. Neither of these problems are insumountable, but > they do > make it harder to start. > > > Agreed. I want to point out that you still haven?t clarified the (to > me) crucial question, so let me ask you directly: > > Do you think, right now, based only on the information you have so > far, that you?ll eventually merge a patch adding U2F to OpenSSH? It?s > okay to reverse your decision later and I?m not taking this as a > promise, but what I do want to know is the upstream sentimen, i.e. if > you?re rather adverse to having U2F support in OpenSSH at all. I'm not opposed to it, but U2F is pretty new and I'd probably like to see how it pans out for a bit first, both in terms of changes made to the upstream protocol and in how widely adopted it becomes. New auth/crypto protocols frequently get revised after some contact with the wider world so there is a cost for early adopters who frequently have to maintain both revised and legacy versions. New protocols also often fail in the market (admittedly less likely in this case, given the industry support), in which case we're doubly burdened with the hassle of implementing/merging as well as maintaining or pissing off users if we deprecate. On the flip side, if there is wide adoption and consequent demand then that can certainly focus my attention :) Of course, I'm speaking only for myself and my own priorities. One of the other developers might feel differently. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev