[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl
Salz, Rich
rsalz at akamai.com
Tue Nov 22 18:29:09 UTC 2016
> That's not the proposal. The proposal is to use PEM form because we can
> make it uniquely self describing using the guard tags which obviates the
> problem above.
Well that's what you want. David wants more than that :)
> On the larger issue of non-self describing formats like ASN.1: if your theory
> that there's a security hole by allowing opportunistic format detection is
> correct, simply making the user specify is palming our bug off on to the user
> and abdicating responsibility because now when they're tricked into an
> exploit they can be blamed not openssl. If such a bug exists, doing
> opportunistic format detection the better guarantor of overall system
> security because if such a bug is found, it would have to be fixed within
> openssl to everyone's benefit.
We differ.
More information about the openssl-dev
mailing list