Am Mittwoch 10 Februar 2010 17:59:18 schrieb Daniel Kahn Gillmor: > What is the _openssl module? do you mean pam_p11_openssh ?
oops, yes. > The amount of storage space on my eGate appears to be such that if it > contains two 2048-bit RSA secret keys, it can only fit one certificate. > since public keys are smaller than certificates, it turns out that it > can store two public keys. hu? how much memory has your card? maybe the profile isn't optimized for your needs, then simply erase the card, edit the sizes in the profile, and re-initialized till it fits your needs. AFAIK cryptoflex is hierarchical - you need to allocate for each directory enough memory so it can contain all containers placed in it. > > so having a debian bug about this possibility is kind of pointless. > > if you send a clean and nice patch to add such functionality, I can > > apply it and release a new version. but since you are the first > > user in ages to ask for such an uncommon feature, it is unlikely anyone > > else will implement it, unless you do it yourself. > > that's fair enough -- and it's actually been on my list of things to > look into doing for a while (though my plate is pretty full at the > moment). Would you prefer i file a bug with some upstream bugtracker as > well to keep it on a list we could both refer to? no, bugs in bug trackers rot - mailing list is best for us. if noone handles some report, putting it in some bug tracker won't change that situation anyway. and with the limited manpower we have, it shouldn't be spend on managing outdated information. > All spelled out, my proposal is: > > * the filesystem can supply certificates, certificate requests, or raw > public keys in ~/.eid/authorized_certificates > > * pam_p11 extracts the RSA public key from these, to create a set of > public keys. > > * the card produces a set of public keys bound to authentication slots, > either embedded in X.509 certificates or as raw public keys. > > * the system finds the first public key which is in both sets, and asks > the user to authenticate to the corresponding slot on the card > > * the system grants the authentication based on whether the card can > properly compute the response to the RSA challenge using the > user-supplied PIN. > > Does that make it clearer? I probably should have written it up like > that earlier. ok, sounds nice. not sure how many users want to use CSR or pubkeys instead of certs, but if these formats can be detected easily, then it is propably not too much code to read them and extract the public rsa key, no matter which format was used. but I have little clue about openssl API, so I can't tell. > I'd like to leave this bug open (possibly forwarding it to an upstream > tracker if you like) until we have a chance to get it sorted out. I > understand that might mean me doing the work, and i don't mind that. ok, fine with me. > Thanks for having this discussion, and thanks for pam_p11! I hope it's > understood that my suggestions and contributions here are meant > constructively, not just whining. no issue at all. hope you don't mind me closing it maybe a bit too fast. Thanks! Andreas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
