[prev in list] [next in list] [prev in thread] [next in thread]
List: openldap-devel
Subject: Re: OpenSSL provider support in openldap: OSSL_STORE_open()
From: Howard Chu <hyc () symas ! com>
Date: 2024-01-03 18:23:03
Message-ID: e580634e-3304-9ee5-3bda-7e8facde6c78 () symas ! com
[Download RAW message or body]
Graham Leggett wrote:
> On 03 Jan 2024, at 18:02, Howard Chu <hyc@symas.com> wrote:
>
> > > https://bugs.openldap.org/show_bug.cgi?id=10149
> >
> > Looks a bit like a chicken'n'egg situation, why should anyone trust the \
> > connection that was used to retrieve certs and keys from the designated URI?
>
> Not at all.
>
> We're referring to URIs known to crypto libraries, such as pkcs11 URLs (for \
> smartcard interfaces) and tpmkey URIs for TPM chips.
Probably worth noting this in the manpages too then, that these are generally not \
internet URIs.
>
> https://www.rfc-editor.org/rfc/rfc7512.html
> https://datatracker.ietf.org/doc/html/draft-mavrogiannopoulos-tpmuri-01
>
> By default OpenSSL always supports the file:// URI, which points at PEM encoded \
> certs/keys/crls/params/etc.
> Other URIs might point at the MacOS keychain, or the Windows crypto api. It's up to \
> the crypto library.
> Regards,
> Graham
> —
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic