[ssh_x509] SSH With TPM Keys

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Jul 15 21:57:00 EEST 2019

Hi Jon,

ssh_x509 at roumenpetrov.info wrote:
> Hi Roumen,
> Have you ever considered adding support for TPM protected keys to this implementation?
I don't know enough for TPM keys.

> Specifically, I am considering enhancing the implementation to support TPM keys using TrouSerS and an OpenSSL TPM Engine, but I first wanted to see if this is something that you've thought about in the context of your work. I know this has been done using a pkcs11 provider, but I'm most interested in utilizing the OpenSSL TPM Engine.
It look like new key type.
Currently pkcs#11 supports only X.509 certificates for RSA and EC key 
types and as of today "plain"(public key) for RSA and EC types. With 
engine could be used DSA in addition.

If TPM is new key type it has to be defined in protocol.
Perhaps we could start with a protocol draft  and in the same time with 
experimental implementation.

> I think it could be a useful addition since I've seen a fair amount of users with certificates backed by TPM keys. Let me know your thoughts.
> Thanks for your time,
> Jon


More information about the ssh_x509 mailing list