From openldap-devel  Wed Jan 03 18:23:03 2024
From: Howard Chu <hyc () symas ! com>
Date: Wed, 03 Jan 2024 18:23:03 +0000
To: openldap-devel
Subject: Re: OpenSSL provider support in openldap: OSSL_STORE_open()
Message-Id: <e580634e-3304-9ee5-3bda-7e8facde6c78 () symas ! com>
X-MARC-Message: https://marc.info/?l=openldap-devel&m=170430613730869

Graham Leggett wrote:
> On 03 Jan 2024, at 18:02, Howard Chu <hyc@symas.com> wrote:
>=20
>>> https://bugs.openldap.org/show_bug.cgi?id=3D10149
>>
>> Looks a bit like a chicken'n'egg situation, why should anyone trust th=
e connection that was used to
>> retrieve certs and keys from the designated URI?
>=20
> Not at all.
>=20
> We=E2=80=99re referring to URIs known to crypto libraries, such as pkcs=
11 URLs (for smartcard interfaces) and tpmkey URIs for TPM chips.

Probably worth noting this in the manpages too then, that these are gener=
ally not internet URIs.
>=20
> https://www.rfc-editor.org/rfc/rfc7512.html
> https://datatracker.ietf.org/doc/html/draft-mavrogiannopoulos-tpmuri-01
>=20
> By default OpenSSL always supports the file:// URI, which points at PEM=
 encoded certs/keys/crls/params/etc.
>=20
> Other URIs might point at the MacOS keychain, or the Windows crypto api=
. It=E2=80=99s up to the crypto library.
>=20
> Regards,
> Graham
> =E2=80=94
>=20


--=20
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/