Hi, There is no need to add new mechanism identifiers to use specific curves. This can be done already using the CKM_ECDSA mechanism parameters (see CKA_ECDSA_PARAMS in the standard). Given that the underlying HW or SW tokens supports Ed25519 curves, then you could leverage it even with version 2.20 of the PKCS#11 standard. Cheers, Thomas On Thu, Oct 8, 2015 at 2:00 PM, Douglas E Engert <deengert@xxxxxxxxx> wrote: > > > On 10/8/2015 4:49 AM, Simon Josefsson wrote: > >> Mathias Brossard <mathias@xxxxxxxxxxxx> writes: >> >> Hi, >>> >>> I have made a patch for enabling the use of ECDSA keys in the PKCS#11 >>> support of ssh-agent which will be of interest to other users. >>> >> >> Nice! What would it take to add support for Ed25519 too? Do we need to >> allocate any new PKCS#11 identifiers? >> > > Yes, and PKCS#11 allows for *_VENDOR_SUPPLIED identifiers. But using these > can > get out of hand. Best to try and get them in the standard. OASIS controls > the > standard From 14 April 2015: > > > http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/pkcs11-curr-v2.40.html > > 2.40 does not define Ed25519. > > The Gnuk smartcard supports >> Ed25519 but I don't know if it is common to use it with OpenSSH through >> PKCS#11 (I would expect it to be used with OpenSSH through GnuPG's >> gpg-agent). At least it might be useful as a test case. >> >> /Simon >> >> >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev@xxxxxxxxxxx >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> >> > -- > > Douglas E. Engert <DEEngert@xxxxxxxxx> > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
