Re: [RFC 1/2] Add support for openssl engine based keys

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Thu, 2 Nov 2017, James Bottomley wrote:

> On Fri, 2017-11-03 at 13:11 +1100, Damien Miller wrote:
> > On Thu, 26 Oct 2017, James Bottomley wrote:
> > 
> > > 
> > > Engine keys are keys whose file format is understood by a specific
> > > engine rather than by openssl itself.  Since these keys are file
> > > based, the pkcs11 interface isn't appropriate for them because they
> > > don't actually represent tokens.
> > 
> > What sort of keys do you have in mind here that can't be represented
> > via PKCS#11?
> 
> Well, the engine keys are flat files, so the usual use case is to take
> the private key file and replace it with an engine key file in the .ssh
> directory so the private key becomes tied to the hardware platform and
> cannot be usefully exfiltrated.

Let me rephrase my question: what does using OpenSSL engines enable
that we can't already do via PKCS#11?

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux