>> So why is it better to say “…engine –key /some/weird/path/weird
    >> -file.pem” than “…engine –key pkcs11:id=02” (or such)?
    > There appears to be some confusion here.  pkcs11 is a representation
    > for defined tokens. 

Well, I did not mean *specifically* pkcs11 – just as an example of something 
that currently works.

    > However, for TPM, there's also file representation
    > of an unloaded key (it has to be parented or "wrapped" to one of the
    > loaded storage keys, usually the SRK). 

So this PEM wrapping is needed just to load keys into TPM? How do you refer to 
those keys when they are already loaded?

    > The point here is that because there's a pem file representation of the
    > key, it can be used anywhere a PEM file can be *without* having to tell
    > openssl what the engine is (the PEM guards being unique to the key
    > type).
Well, I think I can see your point (except for the above question), but frankly 
I don’t like this approach very much.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to