In message <1479815862.8937.22.ca...@infradead.org> on Tue, 22 Nov 2016 11:57:42 +0000, David Woodhouse <dw...@infradead.org> said:
dwmw2> On Mon, 2016-11-21 at 13:50 +0000, Blumenthal, Uri - 0553 - MITLL dwmw2> wrote: dwmw2> > Frankly, I think this approach of specially-encoded PEM or DER files dwmw2> > telling the app what key to ask from the engine is madness, compared dwmw2> > to the straightforward URI approach (no pun intended :). dwmw2> dwmw2> Right. There are two separate things that the TPM can do for keys. dwmw2> dwmw2> There is storage in the TPM itself, and you can reference a key therein dwmw2> by its UUID. In Nikos's draft, and in GnuTLS, you end up with something dwmw2> like tpmkey:uuid=7f468c16-cb7f-11e1-824d-b3a4f4b20343;storage=user dwmw2> dwmw2> To use a PEM file for that does seem like madness; I agree. dwmw2> dwmw2> However, Nikos's draft also supports a URI of the form: dwmw2> tpmkey:file=/foo/bar/key.pem dwmw2> dwmw2> This, I do not like. It runs entirely contrary to my assertion in dwmw2> http://david.woodhou.se/draft-woodhouse-cert-best-practice.html that dwmw2> applications should Just Bloody Work with whatever file they're handed, dwmw2> without needing to be *told* what the file contains. Not sure I follow... 'file=/foo/bar/key.pem' is just a path / parameter that the 'tpmkey' handler is free to interpret in whatever way it sees fit. For me as a user, it's just a string. For all I care, the URI could just as well be 'tpmkey:id=L2Zvby9iYXIva2V5LnBlbQ==' That doesn't say anything about the contents of /foo/bar/key.pem, not more than file:/foo/bar/key.pem does, or even if there actually is a file /foo/bar/key.pem. Maybe I misunderstand what you're after... -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev