Re: [RFC 1/2] Add support for openssl engine based keys

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



         >>  Let me rephrase my question: what does using OpenSSL engines enable
         >>  that we can't already do via PKCS#11?
         >
         > It allows you to use the TPM2 as a secure key store, because there's no
         > current PKCS11 code for it.
         >
         > The essential difference is that Engine files are just that: flat files
         > where the key is stored in a form only decodeable by the engine.
         > PKCS11 tokens are supposed to be represented by tokens and slots which
         > is an active entity storing the key.  So, provided I wrap it correctly,
         > I can create a TPM representation on one system (I have to know one of
         > the hierarchy seeds on the target) transfer the file to the target
         > system and use it;…

What I don’t get is – why not transfer those keys to the target machine “somehow”, load them to the TPM there “somehow”, and then treat TPM as a PKCS#11 device?

If there’s no PKCS#11 “driver” for TPM – then that’s what needs to be added, IMHO.
 

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux