[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-dev
Subject:    Re: [openssl-dev] Certificate torture test
From:       David Woodhouse <dwmw2 () infradead ! org>
Date:       2016-09-23 11:07:09
Message-ID: 1474628829.45169.143.camel () infradead ! org
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On Fri, 2016-09-02 at 20:20 +0000, Salz, Rich wrote:
> > I've started collecting a certificate torture test suite at
> > http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/tests/
> > Makefile.am
> 
> I think this is cool, and splitting it off is a good idea.   I think
> some IETF  folks would be interested, too.

We've turned this into a nascent Internet-Draft. It's not filed yet;
preliminary feedback would be very welcome.

http://david.woodhou.se/draft-woodhouse-cert-best-practice.html

Pull requests accepted at
https://github.com/dwmw2/ietf-cert-best-practice

There's plenty of things I'm not quite sure about. In particular, is
there any reason why we'd want to use the new PKCS#8 formats defined in
RFC5958? OpenSSL doesn't support those at all, right? Does anyone?

Also, should we make any attempt to handle keys managed by a TPM? Or
can we rely on PKCS#11 for that?

I note that historically, the OpenSSL TPM ENGINE supported a 'TSS KEY
BLOB' PEM format which contained a TPM-wrapped key, and OpenConnect at
least would Just Work™ when handed such a PEM file.

-- 
dwmw2
["smime.p7s" (application/x-pkcs7-signature)]

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


[prev in list] [next in list] [prev in thread] [next in thread]