Great point. Alex
On Jun 7, 2017 9:24 AM, "Ron Frederick" <r...@timeheart.net> wrote: > On Jun 7, 2017, at 5:36 AM, Cory Benfield <c...@lukasa.co.uk> wrote: > > On 7 Jun 2017, at 13:15, Alex Gaynor <alex.gay...@gmail.com> wrote: > > Are there things we can do to lower the maintenance burden for ourselves? > At this point the X.509 layer in cryptography is complete, can we deprecate > the one in pyOpenSSL? That'd let us kill a good deal of code, and really > get pyOpenSSL down to just an SSL layer, which is all we care about anyways. > > > Right now there aren’t any functions that let you convert to cryptography > X509 objects from PyOpenSSL ones or vice versa: only for keys. If we got > those for the various X509 objects then I think that’d be a reasonable > thing to do. > > > I recently started working on adding X.509 certificate support to AsyncSSH > and after looking at the X.509 support in PyCA and being unaware of the > history here, I reluctantly concluded that I might need to add PyOpenSSL as > an additional dependency. While PyCA did have pretty good support for > building X.509 certificates, it has a major hole with regard to verifying > certificate chains, which is something I need. > > Before removing X.509 from PyOpenSSL, I really think that certificate > chain validation needs to be added to PyCA. There’s an open issue on this > already (https://github.com/pyca/cryptography/issues/2381) from back in > 2015, but it looks like the work was never completed. > -- > Ron Frederick > r...@timeheart.net > > > > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > >
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
