[openssl-dev] [RFC v2 2/2] pem: load engine keys
James Bottomley
James.Bottomley at HansenPartnership.com
Thu Dec 8 23:56:41 UTC 2016
On Thu, 2016-12-08 at 23:44 +0000, David Woodhouse wrote:
> On Tue, 2016-12-06 at 22:30 +0100, Richard Levitte wrote:
> > Oh....
> >
> > I think I aired some thoughts on using PEM headers a very long
> > while
> > ago, but that never came into fruition, among others because I
> > ended
> > up doubting that it would be the best way in the long run.
> >
> > These days, the use of PEM headers is considered old and kinda
> > sorta
> > deprecated, even though OpenSSL still produces encrypted private
> > key
> > PEM files that uses headers for the encryption metadata. It seems
> > that PKCS#8 is prefered "out there".
> >
> > So I have to wonder, is PEM really the right way to go for this?
> > Would it be just as possible to wrap a TSS key with a PKCS#8
> > container, and use the associated attributes for the external data?
> > Just a thought, though... I can't do more than throw around ideas,
> > considering how little I know about TPM.
>
> I would definitely suggest that we *don't* want to do it with PEM
> headers. Just put the additional information into the binary ASN.1
> structure.
Which evil is lesser? If we put it in ASN.1 we'll be defining our own
instead of using the TSS defined one. If we use headers, we can put
the extra data in them and use the TSS defined ASN.1 for the key blob.
> The 2.0 version of the TssBlob (from §3.23 of the 1.2 spec) should
> hopefully contain all the auxiliary information we need, without
> having to stick it in PEM headers.
Which of the many specs is this?
James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5100 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161208/0ada35c8/attachment-0001.bin>
More information about the openssl-dev
mailing list