'Re: OpenSSL provider support in openldap: OSSL_STORE_open()'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-devel
Subject:    Re: OpenSSL provider support in openldap: OSSL_STORE_open()
From:       Graham Leggett <minfrin () sharp ! fm>
Date:       2024-01-03 18:15:56
Message-ID: 1E6B7EDF-FDC1-44A5-B907-6D4ADFBDEC2E () sharp ! fm
[Download RAW message or body]

On 03 Jan 2024, at 18:02, Howard Chu <hyc@symas.com> wrote:

> > https://bugs.openldap.org/show_bug.cgi?id=10149
> 
> Looks a bit like a chicken'n'egg situation, why should anyone trust the connection \
> that was used to retrieve certs and keys from the designated URI?

Not at all.

We're referring to URIs known to crypto libraries, such as pkcs11 URLs (for smartcard \
interfaces) and tpmkey URIs for TPM chips.

https://www.rfc-editor.org/rfc/rfc7512.html
https://datatracker.ietf.org/doc/html/draft-mavrogiannopoulos-tpmuri-01

By default OpenSSL always supports the file:// URI, which points at PEM encoded \
certs/keys/crls/params/etc.

Other URIs might point at the MacOS keychain, or the Windows crypto api. It's up to \
the crypto library.

Regards,
Graham
—


[Attachment #3 (unknown)]

<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: \
space; line-break: after-white-space;">On 03 Jan 2024, at 18:02, Howard Chu \
&lt;hyc@symas.com&gt; wrote:<div><br><div><blockquote \
type="cite"><div><div><blockquote \
type="cite">https://bugs.openldap.org/show_bug.cgi?id=10149<br></blockquote><br>Looks \
a bit like a chicken'n'egg situation, why should anyone trust the connection that was \
used to<br>retrieve certs and keys from the designated \
URI?<br></div></div></blockquote><div><br></div><div>Not at \
all.</div><div><br></div><div>We're referring to URIs known to crypto libraries, such \
as pkcs11 URLs (for smartcard interfaces) and tpmkey URIs for TPM \
chips.</div><div><br></div><div><a \
href="https://www.rfc-editor.org/rfc/rfc7512.html">https://www.rfc-editor.org/rfc/rfc7512.html</a><br></div><div></div><div><a \
href="https://datatracker.ietf.org/doc/html/draft-mavrogiannopoulos-tpmuri-01">https:/ \
/datatracker.ietf.org/doc/html/draft-mavrogiannopoulos-tpmuri-01</a></div><div><br></div><div>By \
default OpenSSL always supports the file:// URI, which points at PEM encoded \
certs/keys/crls/params/etc.</div><div><br></div><div>Other URIs might point at the \
MacOS keychain, or the Windows crypto api. It's up to the crypto \
library.</div><div><br></div></div>Regards,</div><div>Graham</div><div>—</div><div><br></div></body></html>




[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic