[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl
Richard Levitte
levitte at openssl.org
Wed Nov 23 21:33:56 UTC 2016
Richard Levitte <levitte at openssl.org> skrev: (23 november 2016 22:23:18 CET)
>
>
>David Woodhouse <dwmw2 at infradead.org> skrev: (23 november 2016 19:42:29
>CET)
>>On Wed, 2016-11-23 at 17:00 +0000, Salz, Rich wrote:
>>>
>>> > FWIW I am perfectly content for applications *not* to
>automatically
>>work
>>> > with such keys. Making the user jump through extra hoops to use
>>them
>>> > would be perfectly fine in my book.
>>>
>>> oh I see. "Users shouldn't care, it should just work" But only for
>>some keys.
>>>
>>> Part of my I am opposed to guessing.
>>
>>For me it's the other way round. Magically detecting *that* particular
>>perfectly valid PKCS#1 RSA key is actually intended for the gem engine
>>would indeed be guessing. It's a bizarre abuse of PKCS#1 and it
>doesn't
>>seem reasonable for anyone to "guess" that without explicit direction.
>>
>>But for the sane and common cases of PKCS#1, PKCS#8, PKCS#12 and
>>similar files in both DER and PEM forms, for *those* it makes sense
>for
>>applications to Just Work. And it shouldn't really involve "guessing".
>
>I take that as "recognizing what we decide to support". And as has
>already been mentioned, we already do that with d2i_AutoPrivatekey.
That being said, though, your recommendation should probably specify (after discussing it) exactly what keys, certs and so on should be supported. Otherwise, everyone will have a slightly different idea of what's reasonable and you will end up in the same space as today...
Cheers
Richard
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
More information about the openssl-dev
mailing list