On 02/23/2015 02:10 PM, David Woodhouse wrote: > On Mon, 2015-02-23 at 13:59 +0100, Arne Schwabe wrote: >> >> All fine. My rationale was like, if I want a certificate with a certain >> SUBJECT (e.g. CN=schw...@mycoolca.com) etc. it should not matter for men >> wether I get it from OS X, Windows or Android Certificate store. > > The canonical way of representing that would be > pkcs11:object=schw...@mycoolca.com
But that implies that pkcs11 is somehow in the loop. I might (1) use a different mechanism, such as a separate daemon that directly uses a private key file (as is possible on Android), or (2) simply don't care for what mechanism my daemon uses. That said, I *do* agree that it would be worthwhile to see if we can use the same URI format as pkcs11-uris (most recent draft: https://tools.ietf.org/html/draft-pechanec-pkcs11uri-21). If I recall correctly, there even are pkcs11-uri parsing libs available. I think omitting 'pkcs11:' or 'osxkeychain:' should be possible, and if omitted the backend application should just use whatever it prefers. -Steffan