Great point. Alex
On Jun 7, 2017 9:24 AM, "Ron Frederick" <[email protected]> wrote: > On Jun 7, 2017, at 5:36 AM, Cory Benfield <[email protected]> wrote: > > On 7 Jun 2017, at 13:15, Alex Gaynor <[email protected]> wrote: > > Are there things we can do to lower the maintenance burden for ourselves? > At this point the X.509 layer in cryptography is complete, can we deprecate > the one in pyOpenSSL? That'd let us kill a good deal of code, and really > get pyOpenSSL down to just an SSL layer, which is all we care about anyways. > > > Right now there aren’t any functions that let you convert to cryptography > X509 objects from PyOpenSSL ones or vice versa: only for keys. If we got > those for the various X509 objects then I think that’d be a reasonable > thing to do. > > > I recently started working on adding X.509 certificate support to AsyncSSH > and after looking at the X.509 support in PyCA and being unaware of the > history here, I reluctantly concluded that I might need to add PyOpenSSL as > an additional dependency. While PyCA did have pretty good support for > building X.509 certificates, it has a major hole with regard to verifying > certificate chains, which is something I need. > > Before removing X.509 from PyOpenSSL, I really think that certificate > chain validation needs to be added to PyCA. There’s an open issue on this > already (https://github.com/pyca/cryptography/issues/2381) from back in > 2015, but it looks like the work was never completed. > -- > Ron Frederick > [email protected] > > > > > _______________________________________________ > Cryptography-dev mailing list > [email protected] > https://mail.python.org/mailman/listinfo/cryptography-dev > >
_______________________________________________ Cryptography-dev mailing list [email protected] https://mail.python.org/mailman/listinfo/cryptography-dev
