On 9 May 2008, at 03:36, Mccue, Richard Alan wrote:

>> How do you feel about PKCS#11 ?

> I'm not sure the device I'm working with fits well with the PKCS#11
> token interface. The device is a little more complicated than a
> smartcard. It can handle multiple private keys. If a dozen apps all
> have different private RSA keys, each app can load its key
> separately and have the device encrypt/decrypt with it. PKCS#11 is
> on my list of things to investigate more deeply. Maybe later this
> year I'll understand PKCS#11 a little better.

Can you tell us what the device is and/or what engine you are trying
to use?

It sounds like an HSM - if it is then it almost certainly supports
pkcs11. Using a pkcs11 enabled version of OpenSSH will most likely be
easier than trying to support every different OpenSSL engine that a
user might decide to use.

John Dickinson

openssh-unix-dev mailing list