On Thu, 2016-12-08 at 23:44 +0000, David Woodhouse wrote:
> On Tue, 2016-12-06 at 22:30 +0100, Richard Levitte wrote:
> > Oh....
> > 
> > I think I aired some thoughts on using PEM headers a very long
> > while
> > ago, but that never came into fruition, among others because I
> > ended
> > up doubting that it would be the best way in the long run.
> > 
> > These days, the use of PEM headers is considered old and kinda
> > sorta
> > deprecated, even though OpenSSL still produces encrypted private
> > key
> > PEM files that uses headers for the encryption metadata.  It seems
> > that PKCS#8 is prefered "out there".
> > 
> > So I have to wonder, is PEM really the right way to go for this?
> > Would it be just as possible to wrap a TSS key with a PKCS#8
> > container, and use the associated attributes for the external data?
> > Just a thought, though...  I can't do more than throw around ideas,
> > considering how little I know about TPM.
> I would definitely suggest that we *don't* want to do it with PEM
> headers. Just put the additional information into the binary ASN.1
> structure.

Which evil is lesser?  If we put it in ASN.1 we'll be defining our own
instead of using the TSS defined one.  If we use headers, we can put
the extra data in them and use the TSS defined ASN.1 for the key blob.

> The 2.0 version of the TssBlob (from ยง3.23 of the 1.2 spec) should
> hopefully contain all the auxiliary information we need, without 
> having to stick it in PEM headers.

Which of the many specs is this?


Attachment: smime.p7s
Description: S/MIME cryptographic signature

openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to