[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl
Richard Levitte
levitte at openssl.org
Wed Nov 23 21:23:18 UTC 2016
David Woodhouse <dwmw2 at infradead.org> skrev: (23 november 2016 19:42:29 CET)
>On Wed, 2016-11-23 at 17:00 +0000, Salz, Rich wrote:
>>
>> > FWIW I am perfectly content for applications *not* to automatically
>work
>> > with such keys. Making the user jump through extra hoops to use
>them
>> > would be perfectly fine in my book.
>>
>> oh I see. "Users shouldn't care, it should just work" But only for
>some keys.
>>
>> Part of my I am opposed to guessing.
>
>For me it's the other way round. Magically detecting *that* particular
>perfectly valid PKCS#1 RSA key is actually intended for the gem engine
>would indeed be guessing. It's a bizarre abuse of PKCS#1 and it doesn't
>seem reasonable for anyone to "guess" that without explicit direction.
>
>But for the sane and common cases of PKCS#1, PKCS#8, PKCS#12 and
>similar files in both DER and PEM forms, for *those* it makes sense for
>applications to Just Work. And it shouldn't really involve "guessing".
I take that as "recognizing what we decide to support". And as has already been mentioned, we already do that with d2i_AutoPrivatekey.
Cheers
Richard
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
More information about the openssl-dev
mailing list