Hi Simon, Agreed, ecParameters are not suitable but namedCurve should do the trick. Did you mean: 1.3.6.1.4.1.11591.15.1 which seems reserved by GNU for Ed25519 (https://www.gnu.org/prep/standards/html_node/OID-Allocations.html)? As for putting it into the standard, not sure this is even needed. Cheers, Thomas On Thu, Oct 8, 2015 at 3:17 PM, Simon Josefsson <simon@xxxxxxxxxxxxx> wrote: > Thomas Calderon <calderon.thomas@xxxxxxxxx> writes: > > > Hi, > > > > There is no need to add new mechanism identifiers to use specific curves. > > > > This can be done already using the CKM_ECDSA mechanism parameters (see > > CKA_ECDSA_PARAMS > > in the standard). > > Given that the underlying HW or SW tokens supports Ed25519 curves, then > you > > could leverage it even with version 2.20 of the PKCS#11 standard. > > I think you need an OID to put in the namedCurve field of EC Parameters > structure, right? The structure is: > > Parameters:: = CHOICE { > ecParametersECParameters, > namedCurveCURVES. & id( { CurveNames}), > implicitlyCANULL} > > The ecParametersECParameters approach doesn't work, I believe, for > EdDSA, but a namedCurve would probably do. But what OID to use? I'm > happy to reserve 1.3.6.1.4.1.11591.9 to mean a namedCurve value for > Ed25519 in PKCS#11. > > I'm not sure this approach works out -- but let's try. > > /Simon > > > Cheers, > > > > Thomas > > > > On Thu, Oct 8, 2015 at 2:00 PM, Douglas E Engert <deengert@xxxxxxxxx> > wrote: > > > >> > >> > >> On 10/8/2015 4:49 AM, Simon Josefsson wrote: > >> > >>> Mathias Brossard <mathias@xxxxxxxxxxxx> writes: > >>> > >>> Hi, > >>>> > >>>> I have made a patch for enabling the use of ECDSA keys in the PKCS#11 > >>>> support of ssh-agent which will be of interest to other users. > >>>> > >>> > >>> Nice! What would it take to add support for Ed25519 too? Do we need > to > >>> allocate any new PKCS#11 identifiers? > >>> > >> > >> Yes, and PKCS#11 allows for *_VENDOR_SUPPLIED identifiers. But using > these > >> can > >> get out of hand. Best to try and get them in the standard. OASIS > controls > >> the > >> standard From 14 April 2015: > >> > >> > >> > http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/pkcs11-curr-v2.40.html > >> > >> 2.40 does not define Ed25519. > >> > >> The Gnuk smartcard supports > >>> Ed25519 but I don't know if it is common to use it with OpenSSH through > >>> PKCS#11 (I would expect it to be used with OpenSSH through GnuPG's > >>> gpg-agent). At least it might be useful as a test case. > >>> > >>> /Simon > >>> > >>> > >>> > >>> _______________________________________________ > >>> openssh-unix-dev mailing list > >>> openssh-unix-dev@xxxxxxxxxxx > >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > >>> > >>> > >> -- > >> > >> Douglas E. Engert <DEEngert@xxxxxxxxx> > >> > >> > >> _______________________________________________ > >> openssh-unix-dev mailing list > >> openssh-unix-dev@xxxxxxxxxxx > >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > >> > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev