[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl
Richard Levitte
levitte at openssl.org
Tue Nov 22 13:06:08 UTC 2016
In message <1479815862.8937.22.camel at infradead.org> on Tue, 22 Nov 2016 11:57:42 +0000, David Woodhouse <dwmw2 at infradead.org> said:
dwmw2> On Mon, 2016-11-21 at 13:50 +0000, Blumenthal, Uri - 0553 - MITLL
dwmw2> wrote:
dwmw2> > Frankly, I think this approach of specially-encoded PEM or DER files
dwmw2> > telling the app what key to ask from the engine is madness, compared
dwmw2> > to the straightforward URI approach (no pun intended :).
dwmw2>
dwmw2> Right. There are two separate things that the TPM can do for keys.
dwmw2>
dwmw2> There is storage in the TPM itself, and you can reference a key therein
dwmw2> by its UUID. In Nikos's draft, and in GnuTLS, you end up with something
dwmw2> like tpmkey:uuid=7f468c16-cb7f-11e1-824d-b3a4f4b20343;storage=user
dwmw2>
dwmw2> To use a PEM file for that does seem like madness; I agree.
dwmw2>
dwmw2> However, Nikos's draft also supports a URI of the form:
dwmw2> tpmkey:file=/foo/bar/key.pem
dwmw2>
dwmw2> This, I do not like. It runs entirely contrary to my assertion in
dwmw2> http://david.woodhou.se/draft-woodhouse-cert-best-practice.html that
dwmw2> applications should Just Bloody Work with whatever file they're handed,
dwmw2> without needing to be *told* what the file contains.
Not sure I follow... 'file=/foo/bar/key.pem' is just a path /
parameter that the 'tpmkey' handler is free to interpret in whatever
way it sees fit. For me as a user, it's just a string. For all I
care, the URI could just as well be 'tpmkey:id=L2Zvby9iYXIva2V5LnBlbQ=='
That doesn't say anything about the contents of /foo/bar/key.pem, not
more than file:/foo/bar/key.pem does, or even if there actually is a
file /foo/bar/key.pem. Maybe I misunderstand what you're after...
--
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
More information about the openssl-dev
mailing list