On 5/10/07, Peter Stuge <[EMAIL PROTECTED]> wrote: > This depends on the definition of standard. > > Secure shell is also a standard. The SSH agent protocol too.
SSH is, SSH Agent protocol is specific to implementation. > But what really matters is that the SSH agent protocol is already > implemented everywhere. Not at all! This is how we got to none usable environment for users. Please read: http://alon.barlev.googlepages.com/open-source We have an agent to ssh, an agnet to gnupg an agent for gnome, gnutls wanted to add its own agent. Every project out there think it is smarter than the other, create its own interface, and call it a standard. A standard is not only a document YOU agree of, it is a specification that MANY partners agree of and for different usages. In term of accessing cryptographic meterial we have two stanard: 1. CryptoAPI - standard by monopoly. 2. PKCS#11 You can say that PKCS#11 is too complex, badly designed, is an API and not data specification, it missing key features, I will agree with all. But at least it is available for developers and users to use. If all application such as OpenSSL, GnuTLS, OpenVPN, OpenSSH, GnuPG, KDE, Gnome, Mozilla etc... would have supported one interface, hence PKCS#11, user will benafit from a secure environenment. Now days, a user should run about 5 separate agents on its machine in order to work with his smartcard. This is unacceptable. > Requiring PKCS#11 in ssh to be able to use p11net would be rather > useless in the short term (because it would not be widely available) > while providing an SSH agent proxy would make p11net useful > everywhere immediately! :) I am looking into long term... Making open source developer to realize that they need to conform to standard for users' sake. I am doing most of the work, most projects happy to merge the modifications, others such as OpenSSH and GnuPG are not. GnuPG developers just don't like PKCS#11. OpenSSH developers were interested at first, then disappeared. I know that many users choose to use the PKCS#11 implementation of these two, since it solves so much incompatibilities issues. OpenVPN users are very happy that upstream was responsive. I hope that KDE developers will be happy as well, if we can get Konqueror use QCA in next version. GnuTLS has work in progress, and I hope that the new API additions will enbale PKCS#11 integration. > Another option that works equally well is of course to teach > ssh-agent PKCS#11. This what I have done. Best Regards, Alon Bar-Lev. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
