[openssl-dev] [RFC v2 0/2] Proposal for seamless handling of TPM based RSA keys in openssl
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Wed Nov 30 21:41:31 UTC 2016
>> So why is it better to say “…engine –key /some/weird/path/weird
>> -file.pem” than “…engine –key pkcs11:id=02” (or such)?
>
> There appears to be some confusion here. pkcs11 is a representation
> for defined tokens.
Well, I did not mean *specifically* pkcs11 – just as an example of something that currently works.
> However, for TPM, there's also file representation
> of an unloaded key (it has to be parented or "wrapped" to one of the
> loaded storage keys, usually the SRK).
So this PEM wrapping is needed just to load keys into TPM? How do you refer to those keys when they are already loaded?
> The point here is that because there's a pem file representation of the
> key, it can be used anywhere a PEM file can be *without* having to tell
> openssl what the engine is (the PEM guards being unique to the key
> type).
Well, I think I can see your point (except for the above question), but frankly I don’t like this approach very much.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161130/4d8dd1da/attachment.bin>
More information about the openssl-dev
mailing list