Re: [PATCH] Enabling ECDSA in PKCS#11 support for ssh-agent

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



I'm disappointed that the maintainers haven't integrated ECDSA support yet, and urge to do so now.

Regards,
Uri

Sent from my iPhone

> On Dec 20, 2017, at 19:48, Mathias Brossard <mathias@xxxxxxxxxxxx> wrote:
> 
> Hi,
> 
> Two years ago I submitted a patch (
> https://bugzilla.mindrot.org/show_bug.cgi?id=2474) to enable ECDSA in
> PKCS#11 support for ssh-agent. During this time:
> - The value of 2FA has become increasingly visible, and is sometimes even
> mandated by regulations. 2FA tokens that can store asymmetric keys are more
> readily available.
> - The ROCA vulnerability impacting millions of smartcards for RSA key
> generation. Cryptographic algorithm agility is a good thing, and can help
> to work-around those kind of issues.
> - Many people, in the ticket, the mailing-list or privately to me, have
> showed an interest in the patch, several of them expressing a desire to
> help. I got test results, bug reports, improvements requests and patches.
> 
> ECDSA is not perfect but in the context of SSH with secure elements, the
> signature is faster and smaller than RSA at similar security levels. Some
> of my fellow contributors have asked what we can do to help this get merged
> upstream. Except tracking new releases and possible additional issues
> encountered in test, I think at this point we can't do a lot more on our
> own. We would welcome additional feedback, in particular from maintainers.
> 
> Sincerely,
> -- 
> Mathias Brossard
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux