Role Separation
Jordan Brown
openssl at jordan.maileater.net
Mon Sep 16 18:59:30 UTC 2019
On 9/15/2019 8:29 AM, Kyle Hamilton wrote:
> OpenSSL is a toolkit, not a full implementation. More importantly, it
> is a library, so anyone who can link against it can perform all
> operations that the library can support, and the library has no
> concept of role separation built in.
Still more importantly, almost everything OpenSSL does is just math and
file manipulation. S_client and s_server add basic network operations.
There's probably some low-level goop for hardware acceleration, but
that's just acceleration.
You can write a program to do those things without needing to involve
OpenSSL, so restrictions on OpenSSL per se aren't very interesting.
The way to restrict PKI operations (in a simple configuration) is
through file and directory permissions on the data involved.
--
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190916/40a408d0/attachment-0001.html>
More information about the openssl-users
mailing list