On Jun 7, 2017, at 5:36 AM, Cory Benfield <c...@lukasa.co.uk> wrote: >> On 7 Jun 2017, at 13:15, Alex Gaynor <alex.gay...@gmail.com> wrote: >> >> Are there things we can do to lower the maintenance burden for ourselves? At >> this point the X.509 layer in cryptography is complete, can we deprecate the >> one in pyOpenSSL? That'd let us kill a good deal of code, and really get >> pyOpenSSL down to just an SSL layer, which is all we care about anyways. > > Right now there aren’t any functions that let you convert to cryptography > X509 objects from PyOpenSSL ones or vice versa: only for keys. If we got > those for the various X509 objects then I think that’d be a reasonable thing > to do.
I recently started working on adding X.509 certificate support to AsyncSSH and after looking at the X.509 support in PyCA and being unaware of the history here, I reluctantly concluded that I might need to add PyOpenSSL as an additional dependency. While PyCA did have pretty good support for building X.509 certificates, it has a major hole with regard to verifying certificate chains, which is something I need. Before removing X.509 from PyOpenSSL, I really think that certificate chain validation needs to be added to PyCA. There’s an open issue on this already (https://github.com/pyca/cryptography/issues/2381 <https://github.com/pyca/cryptography/issues/2381>) from back in 2015, but it looks like the work was never completed. -- Ron Frederick r...@timeheart.net
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
