On Sat, 2016-12-24 at 14:25 +0100, Nikos Mavrogiannopoulos wrote: > On Fri, Dec 23, 2016 at 7:06 PM, James Bottomley > <james.bottom...@hansenpartnership.com> wrote: > > The reason this comes about is because we already have a standard > > form for TPM 1.2 keys here: > > http://david.woodhou.se/draft-woodhouse-cert-best-practice.html#ide > > nt-tpm > > However, since I'm working on TPM2 enabling for openssl and gnutls, > > I need to come up with a new key format because TPM2 requires some > > extra parameters and the original TSS KEY BLOB, being a single > > ASN1_OCTET_STRING isn't expandable. > [...] > > I'm torn on where to get the OIDs from. Since this is a TPM key, > > it might make sense to use the TCG OID (2.23.133) and just add > > something they haven't already used, like 10 for key formats, or we > > could go with a pkcs OID (1.2.840.113549.1) > > OIDs under some umbrella normally need to be registered within the > organization they belong to. If you cannot find a suitable > organization to get these OIDs from I'll check whether we can get > something under redhat's OIDs.
I think, since it's a key format, the two above are the potential ones. It would be TCG if they want to take it into their standard, otherwise PKCS is RSA Inc. > > If we can agree on this, we can update David's document and make it > > a formal RFC. > > Shouldn't version be first? I put OID first because that's what makes the structure self describing. You simply need to look for the SEQUENCE OBJECT OID prefix. We can easily register our own, of course as well. If version goes first, you have a variable prefix. > However, I'm not sure how expandable is ASN.1 using version fields > (I've seen no structure being able to be re-used using a different > version). An alternative approach would to allow for future > extensions, i.e., something like the PKIX Extension field, which is > an OID+data. As long as the expansion fields are optional, it works nicely. X509 and X509v3 are examples of version expanded ASN.1 James -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev