Finally: Login via SSH authentication with OpenPGP smart card & 100% Free Software PCMCIA reader

Alon Bar-Lev alon.barlev at gmail.com
Mon Feb 13 18:32:12 CET 2006


Hello Werner,

Werner Koch wrote:
> On Mon, 13 Feb 2006 13:04:24 +0200, Alon Bar-Lev said:
> 
>> Are you aware of the PKCS#11 for OpenSSH solution
>> (http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=113977188917865&w=2)?
> 
> Well, I know.  However you know my point of view: pkcs#11 is a
> "standard" too complex to implement correctly and even with a lot of
> important things left out.  It is only required (and that complex) to
> let one proprietary software speak to another proprietary one. 

Well... We discussed that in the past... I don't think so...
Let's say it is too complex... But if you look at this from
the user point of view, there is no logic to reinvent the
wheel for each application. But we discussed this in the past.

> Things can be much easier with FS.  Why support proprietary stuff?

No proprietary... Only a standard interface. The user may
select the proper implementation, let's say OpenPGP PKCS#11
Provider, which is a complete open-source GPLed implementation.

>> I just hope that someday OpenPGP card will also have PKCS#11
>> provider, so it can be used by other applications, and the
> 
> Please write one; gpg-agent provides all you need to do that.  It may
> actually be useful for use with Mozilla..

This should be your interest... If you do that, user will be
able to use your card with may PKCS#11 aware applications. I
don't use/recommend  OpenPGP card since it has too many
limitations.

>> other way around... gpg will use PKCS#11 providers in order
>> to support many card types.
> 
> No, we won't do that.

I know you have a licensing problem... I've been in touch
with FSF in order to provide you with the tools needed for
implementation. I get one reply every two months... So the
process is not over yet.

But it seems like we reach into the following conclusion: If
GPLed application is written in a way that it work with a
standard free interface plug-in (like PKCS#11) and it is not
depended on a specific implementation (Compile time,
features), then there is no GPL violation if the user
chooses to use none GPLed plug-ins.

I've written the PKCS#11 support for OpenVPN and OpenSSH, I
will gladly add this support to gpg as well... This of
course depends on your decision.



More information about the Gnupg-users mailing list