On 03 Jan 2024, at 18:02, Howard Chu <h...@symas.com> wrote:

>> https://bugs.openldap.org/show_bug.cgi?id=10149
> 
> Looks a bit like a chicken'n'egg situation, why should anyone trust the 
> connection that was used to
> retrieve certs and keys from the designated URI?

Not at all.

We’re referring to URIs known to crypto libraries, such as pkcs11 URLs (for 
smartcard interfaces) and tpmkey URIs for TPM chips.

https://www.rfc-editor.org/rfc/rfc7512.html
https://datatracker.ietf.org/doc/html/draft-mavrogiannopoulos-tpmuri-01

By default OpenSSL always supports the file:// URI, which points at PEM encoded 
certs/keys/crls/params/etc.

Other URIs might point at the MacOS keychain, or the Windows crypto api. It’s 
up to the crypto library.

Regards,
Graham
—

Reply via email to