'Re: OpenSSL provider support in openldap: OSSL_STORE_open()'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-devel
Subject:    Re: OpenSSL provider support in openldap: OSSL_STORE_open()
From:       Howard Chu <hyc () symas ! com>
Date:       2024-01-03 18:23:03
Message-ID: e580634e-3304-9ee5-3bda-7e8facde6c78 () symas ! com
[Download RAW message or body]

Graham Leggett wrote:
> On 03 Jan 2024, at 18:02, Howard Chu <hyc@symas.com> wrote:
> 
> > > https://bugs.openldap.org/show_bug.cgi?id=10149
> > 
> > Looks a bit like a chicken'n'egg situation, why should anyone trust the \
> > connection that was used to retrieve certs and keys from the designated URI?
> 
> Not at all.
> 
> We're referring to URIs known to crypto libraries, such as pkcs11 URLs (for \
> smartcard interfaces) and tpmkey URIs for TPM chips.

Probably worth noting this in the manpages too then, that these are generally not \
internet URIs.
> 
> https://www.rfc-editor.org/rfc/rfc7512.html
> https://datatracker.ietf.org/doc/html/draft-mavrogiannopoulos-tpmuri-01
> 
> By default OpenSSL always supports the file:// URI, which points at PEM encoded \
> certs/keys/crls/params/etc. 
> Other URIs might point at the MacOS keychain, or the Windows crypto api. It's up to \
> the crypto library. 
> Regards,
> Graham
> —
> 


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic