My vote is to affect the change ASAP. I don't know how painful it would be for other developers; however, carrying legacy implementations forward only increases the window of security vulnerability. Best to do this now, before the volume of applications exacerbates the situation.
Thanks. --Dr. Flywheel On Wed, Nov 8, 2017 at 10:14 AM, David Brown <[email protected]> wrote: > In my work on https://runtimeco.atlassian.net/browse/MCUB-87 I will be > adding support for password protected private key files to MCUboot's > image signing tool. I would also like to add this support to `newt` > as well. > > In order to support this protection, I will likely be moving from the > current algorithm-specific "legacy" file formats for private keys to > PKCS#8 (https://tools.ietf.org/html/rfc5958: Asymmetric Key Packages), > which defines a key storage format that supports multiple algorithms. > It also has a more modern and robust method of password protecting the > files. As per the OpenSSL documentation: "newer applications should > use the more secure PKCS#8 format...". > > For MCUboot's tool, I will likely convert the format of the key files > to always be PKCS#8, effectively removing support for the legacy > formats. There will be a documented `openssl` command that can be > used to convert any keys between the different formats. > > My question for the mynewt list is whether it would be acceptable to > change this key format within 'newt', or if we will continue needing > to support the legacy file formats for some period of time. > > Thanks, > David >
