[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl
David Woodhouse
dwmw2 at infradead.org
Wed Nov 23 18:42:29 UTC 2016
On Wed, 2016-11-23 at 17:00 +0000, Salz, Rich wrote:
>
> > FWIW I am perfectly content for applications *not* to automatically work
> > with such keys. Making the user jump through extra hoops to use them
> > would be perfectly fine in my book.
>
> oh I see. "Users shouldn't care, it should just work" But only for some keys.
>
> Part of my I am opposed to guessing.
For me it's the other way round. Magically detecting *that* particular
perfectly valid PKCS#1 RSA key is actually intended for the gem engine
would indeed be guessing. It's a bizarre abuse of PKCS#1 and it doesn't
seem reasonable for anyone to "guess" that without explicit direction.
But for the sane and common cases of PKCS#1, PKCS#8, PKCS#12 and
similar files in both DER and PEM forms, for *those* it makes sense for
applications to Just Work. And it shouldn't really involve "guessing".
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161123/5bf4a598/attachment-0001.bin>
More information about the openssl-dev
mailing list