[prev in list] [next in list] [prev in thread] [next in thread]
List: openldap-devel
Subject: Re: OpenSSL provider support in openldap: OSSL_STORE_open()
From: Graham Leggett <minfrin () sharp ! fm>
Date: 2024-01-03 18:15:56
Message-ID: 1E6B7EDF-FDC1-44A5-B907-6D4ADFBDEC2E () sharp ! fm
[Download RAW message or body]
On 03 Jan 2024, at 18:02, Howard Chu <hyc@symas.com> wrote:
> > https://bugs.openldap.org/show_bug.cgi?id=10149
>
> Looks a bit like a chicken'n'egg situation, why should anyone trust the connection \
> that was used to retrieve certs and keys from the designated URI?
Not at all.
We're referring to URIs known to crypto libraries, such as pkcs11 URLs (for smartcard \
interfaces) and tpmkey URIs for TPM chips.
https://www.rfc-editor.org/rfc/rfc7512.html
https://datatracker.ietf.org/doc/html/draft-mavrogiannopoulos-tpmuri-01
By default OpenSSL always supports the file:// URI, which points at PEM encoded \
certs/keys/crls/params/etc.
Other URIs might point at the MacOS keychain, or the Windows crypto api. It's up to \
the crypto library.
Regards,
Graham
—
[Attachment #3 (unknown)]
<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: \
space; line-break: after-white-space;">On 03 Jan 2024, at 18:02, Howard Chu \
<hyc@symas.com> wrote:<div><br><div><blockquote \
type="cite"><div><div><blockquote \
type="cite">https://bugs.openldap.org/show_bug.cgi?id=10149<br></blockquote><br>Looks \
a bit like a chicken'n'egg situation, why should anyone trust the connection that was \
used to<br>retrieve certs and keys from the designated \
URI?<br></div></div></blockquote><div><br></div><div>Not at \
all.</div><div><br></div><div>We're referring to URIs known to crypto libraries, such \
as pkcs11 URLs (for smartcard interfaces) and tpmkey URIs for TPM \
chips.</div><div><br></div><div><a \
href="https://www.rfc-editor.org/rfc/rfc7512.html">https://www.rfc-editor.org/rfc/rfc7512.html</a><br></div><div></div><div><a \
href="https://datatracker.ietf.org/doc/html/draft-mavrogiannopoulos-tpmuri-01">https:/ \
/datatracker.ietf.org/doc/html/draft-mavrogiannopoulos-tpmuri-01</a></div><div><br></div><div>By \
default OpenSSL always supports the file:// URI, which points at PEM encoded \
certs/keys/crls/params/etc.</div><div><br></div><div>Other URIs might point at the \
MacOS keychain, or the Windows crypto api. It's up to the crypto \
library.</div><div><br></div></div>Regards,</div><div>Graham</div><div>—</div><div><br></div></body></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic