[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl
David Woodhouse
dwmw2 at infradead.org
Thu Nov 24 15:33:47 UTC 2016
On Thu, 2016-11-24 at 14:26 +0100, Nikos Mavrogiannopoulos wrote:
> On Wed, Nov 23, 2016 at 10:10 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
> > > Locales is not the only thing you have to worry about. UTF-8 and UTF-16
> > > can express the same string in various (different) ways, so they cannot
> > > be directly used as passwords. I have recently added RFC7613
> > > "normalization" to gnutls, to address the differences.
> > >
> > > https://lists.gnupg.org/pipermail/gnutls-devel/2016-November/008240.html
> >
> > Right. You normalise to NFC, yes? That's what my draft recommends. It's a
> > shame that PKCS#12 doesn't *mandate* that... but hey, at least it does
> > better than PKCS#8 :)
>
> NFC normalization is one step of RFC7613. I think recommending RFC7613
> is better than making any recommendation.
Hmmm.... I'd be happier if RFC7613 had any mention of using its
profiles for key derivation. (And even happier if the PKCS#12 and
PKCS#8 standards mandated its use!)
This is really something that should be required of the software which
*creates* the key file. I've tried to limit my draft to the *use* of
existing files — but on the plus side, that means I can say things like
"try X and if that doesn't work try Y", at least for the file
decryption, if not for hardware.
So sure, if there is existing software which is *creating* key files
and using the rules in RFC7613 when it does so, then it makes sense for
me to suggest that.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161124/db436f2f/attachment.bin>
More information about the openssl-dev
mailing list