[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-dev
Subject: Re: [openssl-dev] Certificate torture test
From: David Woodhouse <dwmw2 () infradead ! org>
Date: 2016-09-23 11:07:09
Message-ID: 1474628829.45169.143.camel () infradead ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Fri, 2016-09-02 at 20:20 +0000, Salz, Rich wrote:
> > I've started collecting a certificate torture test suite at
> > http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/tests/
> > Makefile.am
>
> I think this is cool, and splitting it off is a good idea. I think
> some IETF folks would be interested, too.
We've turned this into a nascent Internet-Draft. It's not filed yet;
preliminary feedback would be very welcome.
http://david.woodhou.se/draft-woodhouse-cert-best-practice.html
Pull requests accepted at
https://github.com/dwmw2/ietf-cert-best-practice
There's plenty of things I'm not quite sure about. In particular, is
there any reason why we'd want to use the new PKCS#8 formats defined in
RFC5958? OpenSSL doesn't support those at all, right? Does anyone?
Also, should we make any attempt to handle keys managed by a TPM? Or
can we rely on PKCS#11 for that?
I note that historically, the OpenSSL TPM ENGINE supported a 'TSS KEY
BLOB' PEM format which contained a TPM-wrapped key, and OpenConnect at
least would Just Work⢠when handed such a PEM file.
--
dwmw2
["smime.p7s" (application/x-pkcs7-signature)]
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic