[openssl-dev] [RFC v2 2/2] pem: load engine keys
David Woodhouse
dwmw2 at infradead.org
Thu Dec 8 23:44:41 UTC 2016
On Tue, 2016-12-06 at 22:30 +0100, Richard Levitte wrote:
> Oh....
>
> I think I aired some thoughts on using PEM headers a very long while
> ago, but that never came into fruition, among others because I ended
> up doubting that it would be the best way in the long run.
>
> These days, the use of PEM headers is considered old and kinda sorta
> deprecated, even though OpenSSL still produces encrypted private key
> PEM files that uses headers for the encryption metadata. It seems
> that PKCS#8 is prefered "out there".
>
> So I have to wonder, is PEM really the right way to go for this?
> Would it be just as possible to wrap a TSS key with a PKCS#8
> container, and use the associated attributes for the external data?
> Just a thought, though... I can't do more than throw around ideas,
> considering how little I know about TPM.
I would definitely suggest that we *don't* want to do it with PEM
headers. Just put the additional information into the binary ASN.1
structure.
The 2.0 version of the TssBlob (from §3.23 of the 1.2 spec) should
hopefully contain all the auxiliary information we need, without having
to stick it in PEM headers.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161208/61018589/attachment.bin>
More information about the openssl-dev
mailing list