[openssl-dev] [RFC v2 2/2] pem: load engine keys
James Bottomley
James.Bottomley at HansenPartnership.com
Fri Dec 9 00:22:40 UTC 2016
On Thu, 2016-12-08 at 15:56 -0800, James Bottomley wrote:
> On Thu, 2016-12-08 at 23:44 +0000, David Woodhouse wrote:
> > On Tue, 2016-12-06 at 22:30 +0100, Richard Levitte wrote:
> > > Oh....
> > >
> > > I think I aired some thoughts on using PEM headers a very long
> > > while
> > > ago, but that never came into fruition, among others because I
> > > ended
> > > up doubting that it would be the best way in the long run.
> > >
> > > These days, the use of PEM headers is considered old and kinda
> > > sorta
> > > deprecated, even though OpenSSL still produces encrypted private
> > > key
> > > PEM files that uses headers for the encryption metadata. It
> > > seems
> > > that PKCS#8 is prefered "out there".
> > >
> > > So I have to wonder, is PEM really the right way to go for this?
> > > Would it be just as possible to wrap a TSS key with a PKCS#8
> > > container, and use the associated attributes for the external
> > > data?
> > > Just a thought, though... I can't do more than throw around
> > > ideas,
> > > considering how little I know about TPM.
> >
> > I would definitely suggest that we *don't* want to do it with PEM
> > headers. Just put the additional information into the binary ASN.1
> > structure.
>
> Which evil is lesser? If we put it in ASN.1 we'll be defining our
> own
> instead of using the TSS defined one. If we use headers, we can put
> the extra data in them and use the TSS defined ASN.1 for the key
> blob.
>
> > The 2.0 version of the TssBlob (from §3.23 of the 1.2 spec) should
> > hopefully contain all the auxiliary information we need, without
> > having to stick it in PEM headers.
>
> Which of the many specs is this?
I'm guessing you mean this:
https://www.trustedcomputinggroup.org/wp-content/uploads/TSS_Version_1.2_Level_1_FINAL.pdf
? It still doesn't tell you who the expected parent of the key would
be, which is the problem I'm currently trying to solve.
James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5100 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161208/a15f8b24/attachment.bin>
More information about the openssl-dev
mailing list