On 11/16/16, 2:11 PM, "openssh-unix-dev on behalf of Juha-Matti Tapio" <openssh-unix-dev-bounces+uri=ll.mit.edu@xxxxxxxxxxx on behalf of jmtapio@xxxxxxx> wrote:
The patch does not change any existing functionality. It only adds a
mechanism that allows users to force providing a pin code even if one
is not asked by default. Nothing happens if the users do not trigger
the mechanism and I am not sure why anything would break even if they
did provide a pin code.
OK, that makes things better.
> Yes, very valid concern and approach. As I said, *my* concern is avoiding
> the need to provide a PIN for non-private keys and certs.
If the pin is not provided using our mechanism, then it is NULL and
C_Login is not called, just as without our patch. So no change there
to existing behavior.
The mechanism might require some more thinking. But based on the above, I (reluctantly – I still don’t like it) withdraw my objection.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
