[openssl-dev] Certificate torture test
David Woodhouse
dwmw2 at infradead.org
Fri Sep 23 11:07:09 UTC 2016
On Fri, 2016-09-02 at 20:20 +0000, Salz, Rich wrote:
> > I've started collecting a certificate torture test suite at
> > http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/tests/
> > Makefile.am
>
> I think this is cool, and splitting it off is a good idea. I think
> some IETF folks would be interested, too.
We've turned this into a nascent Internet-Draft. It's not filed yet;
preliminary feedback would be very welcome.
http://david.woodhou.se/draft-woodhouse-cert-best-practice.html
Pull requests accepted at
https://github.com/dwmw2/ietf-cert-best-practice
There's plenty of things I'm not quite sure about. In particular, is
there any reason why we'd want to use the new PKCS#8 formats defined in
RFC5958? OpenSSL doesn't support those at all, right? Does anyone?
Also, should we make any attempt to handle keys managed by a TPM? Or
can we rely on PKCS#11 for that?
I note that historically, the OpenSSL TPM ENGINE supported a 'TSS KEY
BLOB' PEM format which contained a TPM-wrapped key, and OpenConnect at
least would Just Work™ when handed such a PEM file.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160923/cb4d4eef/attachment.bin>
More information about the openssl-dev
mailing list