Re: ssh-agent add PKCS#11 support

Peter Stuge wrote:
> On Wed, Oct 05, 2005 at 01:14:57AM +0000, Alon Bar-Lev wrote:
>
>>I can easily make the scard.c, scard-opensc.c and
>>ssh-agent.c support PKCS#11.
>
>
> If you do, may I suggest checking out libp11, also by the OpenSC
> project.
>
> http://www.opensc.org/libp11/

Hello,

I've seen this lib and I don't think it is flexible enough.
It handles only one provider at a time, it does not allow to
select object based on attributes and performs some unneeded
operations with the token that may lead to incomparability.
It also assume that public keys are stored on token, this is
incorrect.

I have a different implementation, that minimize the
requirements from the token, it also support several
providers so that the user can load all of his provider with
the same configuration. The user can select objects based on
slot id, slot name, token label and object id, object label,
certificate subject name. The best way is for the user to
select object by token label and certificate subject name
then he can insert the token to any slot and even renew his
certificate and the software will continue to work.

Best Regards,
Alon Bar-Lev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev