[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl
David Woodhouse
dwmw2 at infradead.org
Wed Nov 23 14:49:23 UTC 2016
On Wed, 2016-11-23 at 15:21 +0100, Richard Levitte wrote:
> In message <1479908025.8937.74.camel at infradead.org> on Wed, 23 Nov 2016 13:33:45 +0000, David Woodhouse <dwmw2 at infradead.org> said:
>
> dwmw2> On Wed, 2016-11-23 at 13:13 +0000, Salz, Rich wrote:
> dwmw2> > > But, what I get from you is "what if a octet stream matches two different
> dwmw2> > > ASN.1 types? Is that it?
> dwmw2> >
> dwmw2> > Yes among others. How do you know it will *never* happen?
> dwmw2>
> dwmw2> Because if anyone tries to invent yet *another* ASN.1 form for storing
> dwmw2> keys, I am going to personally visit them in the small hours and stick
> dwmw2> a bat up their nightshirt?
>
> (let's keep the heat down, shall we?)
You're no fun :)
> dwmw2> Hopefully we don't need to add completely new ones; we can use the
> dwmw2> existing PKCS#8 and PKCS#12 containers for new things.
> dwmw2>
> dwmw2> But even if a new form is invented which is ambiguous with existing
> dwmw2> forms, that's OK too. We don't support 'detection' of that new format
> dwmw2> by its ASN.1 structure. It'll be PEM-only like the TSS blobs are unless
> dwmw2> the type is explicitly specified.
>
> Errr... Now I'm confused. Wasn't that (explicit type spec) exactly
> what you didn't want to see, no matter if the file was PEM or raw DER?
I do not want to see it for *reasonable* file types which are in
*common* use¹. Users should be able to just give the filename to the
application, and expect it to Just Work.
Invent something new and esoteric and stupid, and I don't care about
that as much. I might have been joking about visiting you in the small
hours, but I'm *not* going to tell applications that they have to
accept your format automatically, and that they can't make users jump
through hoops to explicitly specify it.
--
dwmw2
¹ And I'm still more than happy to take input on which file types meet
that definition, and adjust my draft accordingly.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161123/e9b74c69/attachment.bin>
More information about the openssl-dev
mailing list