I'm disappointed that the maintainers haven't integrated ECDSA support yet, and urge to do so now. Regards, Uri Sent from my iPhone > On Dec 20, 2017, at 19:48, Mathias Brossard <mathias@xxxxxxxxxxxx> wrote: > > Hi, > > Two years ago I submitted a patch ( > https://bugzilla.mindrot.org/show_bug.cgi?id=2474) to enable ECDSA in > PKCS#11 support for ssh-agent. During this time: > - The value of 2FA has become increasingly visible, and is sometimes even > mandated by regulations. 2FA tokens that can store asymmetric keys are more > readily available. > - The ROCA vulnerability impacting millions of smartcards for RSA key > generation. Cryptographic algorithm agility is a good thing, and can help > to work-around those kind of issues. > - Many people, in the ticket, the mailing-list or privately to me, have > showed an interest in the patch, several of them expressing a desire to > help. I got test results, bug reports, improvements requests and patches. > > ECDSA is not perfect but in the context of SSH with secure elements, the > signature is faster and smaller than RSA at similar security levels. Some > of my fellow contributors have asked what we can do to help this get merged > upstream. Except tracking new releases and possible additional issues > encountered in test, I think at this point we can't do a lot more on our > own. We would welcome additional feedback, in particular from maintainers. > > Sincerely, > -- > Mathias Brossard > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev