[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Tue Nov 22 19:02:57 UTC 2016
James.Bottomley> Yes, that's right. When any SSL program sees a TPM wrapped key, it
James.Bottomley> should just do the right thing if it has the engine capability without
James.Bottomley> needing the user to add any options to the command line.
Mm... I'm not sure I agree with the method, passing a BIO for the
key_id.
I’m sure I rather disagree, and rather strongly.
I would much rather have seen a patch where OpenSSL's PEM
module is tought to recognise 'BEGIN TSS KEY BLOB', pull out the blob
from it, securing it somehow (since key_id is expected to be be NUL
terminated) and pass that to the engine.
I would much rather use PEM only to contain keys/certs instead of “pointing” at them in some weird way.
My vote goes to a URI based spec rather than bastardising PEM files.
+10^101. ☺
I understand this kinda throws years of developmemt out the window,
but there you have it.
“It’s never too late to turn back on a wrong road”
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161122/cd11ecc2/attachment-0001.bin>
More information about the openssl-dev
mailing list