On Fri, 2016-09-02 at 20:20 +0000, Salz, Rich wrote: > > I've started collecting a certificate torture test suite at > > http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/tests/ > > Makefile.am > > I think this is cool, and splitting it off is a good idea. I think > some IETF folks would be interested, too.
We've turned this into a nascent Internet-Draft. It's not filed yet; preliminary feedback would be very welcome. http://david.woodhou.se/draft-woodhouse-cert-best-practice.html Pull requests accepted at https://github.com/dwmw2/ietf-cert-best-practice There's plenty of things I'm not quite sure about. In particular, is there any reason why we'd want to use the new PKCS#8 formats defined in RFC5958? OpenSSL doesn't support those at all, right? Does anyone? Also, should we make any attempt to handle keys managed by a TPM? Or can we rely on PKCS#11 for that? I note that historically, the OpenSSL TPM ENGINE supported a 'TSS KEY BLOB' PEM format which contained a TPM-wrapped key, and OpenConnect at least would Just Work™ when handed such a PEM file. -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev