Re: [openssl-dev] OpenSSL and certain PEM formats

Le 21/12/2014 21:39, Sean Leonard a écrit : On 12/21/2014 8:33 AM, Kurt Roeckx wrote: On Sat, Dec 20, 2014 at 02:29:44PM +, Dr. Stephen Henson wrote: On Fri, Dec 19, 2014, Sean Leonard wrote: On Dec 19, 2014, at 11:35 AM, Kurt Roeckx wrote: On Fri, Dec 19, 2014 at 03:05:32PM +, Vik

Re: [openssl-dev] OpenSSL and certain PEM formats

On 12/21/2014 8:33 AM, Kurt Roeckx wrote: On Sat, Dec 20, 2014 at 02:29:44PM +, Dr. Stephen Henson wrote: On Fri, Dec 19, 2014, Sean Leonard wrote: On Dec 19, 2014, at 11:35 AM, Kurt Roeckx wrote: On Fri, Dec 19, 2014 at 03:05:32PM +, Viktor Dukhovni wrote: On Fri, Dec 19, 2014 at

Re: [openssl-dev] OpenSSL and certain PEM formats

On Sat, Dec 20, 2014 at 02:29:44PM +, Dr. Stephen Henson wrote: > On Fri, Dec 19, 2014, Sean Leonard wrote: > > > > > On Dec 19, 2014, at 11:35 AM, Kurt Roeckx wrote: > > > > > On Fri, Dec 19, 2014 at 03:05:32PM +, Viktor Dukhovni wrote: > > >> On Fri, Dec 19, 2014 at 08:47:55AM -0500,

Re: [openssl-dev] OpenSSL and certain PEM formats

On Fri, Dec 19, 2014, Sean Leonard wrote: > > On Dec 19, 2014, at 11:35 AM, Kurt Roeckx wrote: > > > On Fri, Dec 19, 2014 at 03:05:32PM +, Viktor Dukhovni wrote: > >> On Fri, Dec 19, 2014 at 08:47:55AM -0500, Daniel Kahn Gillmor wrote: > >> > >>> Does OpenSSL have documented someplace exac

Re: [openssl-dev] OpenSSL and certain PEM formats

On Dec 19, 2014, at 11:35 AM, Kurt Roeckx wrote: > On Fri, Dec 19, 2014 at 03:05:32PM +, Viktor Dukhovni wrote: >> On Fri, Dec 19, 2014 at 08:47:55AM -0500, Daniel Kahn Gillmor wrote: >> >>> Does OpenSSL have documented someplace exactly what it means to have a >>> "TRUSTED CERTIFICATE"? >>

Re: [openssl-dev] OpenSSL and certain PEM formats

On Fri, Dec 19, 2014 at 03:05:32PM +, Viktor Dukhovni wrote: > On Fri, Dec 19, 2014 at 08:47:55AM -0500, Daniel Kahn Gillmor wrote: > > > Does OpenSSL have documented someplace exactly what it means to have a > > "TRUSTED CERTIFICATE"? > > It is a certificate + auxiliary data which specifies

Re: [openssl-dev] OpenSSL and certain PEM formats

On Fri, Dec 19, 2014 at 07:02:29AM -0800, Sean Leonard wrote: > There is also a "TRUSTED CERTIFICATE" label that OpenSSL uses...I believe > this is a vendor-specific extension but now that I am spelunking through the > source code I see that it could be abused. Relevant source code/comments > say:

Re: [openssl-dev] OpenSSL and certain PEM formats

On Fri, Dec 19, 2014 at 08:47:55AM -0500, Daniel Kahn Gillmor wrote: > Does OpenSSL have documented someplace exactly what it means to have a > "TRUSTED CERTIFICATE"? It is a certificate + auxiliary data which specifies a friendly name plus a set of EKUs. > For example, say we're talking about a

Re: [openssl-dev] OpenSSL and certain PEM formats

On 12/19/2014 5:47 AM, Daniel Kahn Gillmor wrote: On 12/18/2014 04:42 AM, Kurt Roeckx wrote: On Wed, Dec 17, 2014 at 08:34:52PM +0100, Erwann Abalea wrote: Le 17/12/2014 20:17, Viktor Dukhovni a écrit : On Wed, Dec 17, 2014 at 10:56:34AM -0800, Sean Leonard wrote: For reference for the group

Re: [openssl-dev] OpenSSL and certain PEM formats

On 12/18/2014 04:42 AM, Kurt Roeckx wrote: > On Wed, Dec 17, 2014 at 08:34:52PM +0100, Erwann Abalea wrote: >> Le 17/12/2014 20:17, Viktor Dukhovni a écrit : >>> On Wed, Dec 17, 2014 at 10:56:34AM -0800, Sean Leonard wrote: >>> For reference for the group (in case you didn't take a look at the

Re: [openssl-dev] OpenSSL and certain PEM formats

> From: openssl-dev On Behalf Of Salz, Rich > Sent: Thursday, December 18, 2014 07:42 > Are you trying to be proscriptive (say what people should use) or descriptive > (document what is in use)? > > Yes, PKCS8-based PRIVATE KEY is better. But RSA PRIVATE KEY is in (wide) > use and should be desc

Re: [openssl-dev] OpenSSL and certain PEM formats

On 12/18/2014 4:41 AM, Salz, Rich wrote: Are you trying to be proscriptive (say what people should use) or descriptive (document what is in use)? Yes, PKCS8-based PRIVATE KEY is better. But RSA PRIVATE KEY is in (wide) use and should be described. I am trying to be proscriptively descriptiv

Re: [openssl-dev] OpenSSL and certain PEM formats

Are you trying to be proscriptive (say what people should use) or descriptive (document what is in use)? Yes, PKCS8-based PRIVATE KEY is better. But RSA PRIVATE KEY is in (wide) use and should be described. ___ openssl-dev mailing list openssl-dev@o

Re: [openssl-dev] OpenSSL and certain PEM formats

On Wed, Dec 17, 2014 at 08:34:52PM +0100, Erwann Abalea wrote: > Le 17/12/2014 20:17, Viktor Dukhovni a écrit : > >On Wed, Dec 17, 2014 at 10:56:34AM -0800, Sean Leonard wrote: > > > >>For reference for the group (in case you didn't take a look at the draft), > >>the draft documents the following l

Re: [openssl-dev] OpenSSL and certain PEM formats

On 12/17/2014 11:04 AM, Salz, Rich wrote: Probably also worth documenting the legacy "RSA PRIVATE KEY" defined by openssl and used mainly in legacy pre-pkcs8 support There is a paragraph on "algorithm agility"; the legacy labels (like RSA PRIVATE KEY) are not mentioned because for interchange

Re: [openssl-dev] OpenSSL and certain PEM formats

Le 17/12/2014 20:17, Viktor Dukhovni a écrit : On Wed, Dec 17, 2014 at 10:56:34AM -0800, Sean Leonard wrote: For reference for the group (in case you didn't take a look at the draft), the draft documents the following labels: CERTIFICATE ... Perhaps also "TRUSTED CERTIFICATE"? crypto/pe

Re: [openssl-dev] OpenSSL and certain PEM formats

On Wed, Dec 17, 2014 at 10:56:34AM -0800, Sean Leonard wrote: > For reference for the group (in case you didn't take a look at the draft), > the draft documents the following labels: > > CERTIFICATE > ... Perhaps also "TRUSTED CERTIFICATE"? crypto/pem/pem.h:#define PEM_STRING_X509_TRUSTED

Re: [openssl-dev] OpenSSL and certain PEM formats

Probably also worth documenting the legacy "RSA PRIVATE KEY" defined by openssl and used mainly in legacy pre-pkcs8 support -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.me Twitter: RichSalz ___ openssl-dev mailing list openss

Re: [openssl-dev] OpenSSL and certain PEM formats

On 12/17/2014 10:00 AM, Dr. Stephen Henson wrote: On Wed, Dec 17, 2014, Sean Leonard wrote: #define PEM_STRING_PARAMETERS"PARAMETERS" (note, this label does not have any algorithms in it, so I presume it refers to some kind of generic parameter structure) It's used internally to indica

Re: [openssl-dev] OpenSSL and certain PEM formats

On 12/17/2014 8:34 AM, Salz, Rich wrote: I am putting the finishing touches on an Internet-Draft for textual encodings of security structures , which OpenSSL refers to as the "PEM format". Cool. You know why it's called PEM format, rig

Re: [openssl-dev] OpenSSL and certain PEM formats

On Wed, Dec 17, 2014, Sean Leonard wrote: > #define PEM_STRING_PARAMETERS"PARAMETERS" > (note, this label does not have any algorithms in it, so I presume > it refers to some kind of generic parameter structure) > It's used internally to indicate to the PEM routines that it should accept a

Re: [openssl-dev] OpenSSL and certain PEM formats

Le 17/12/2014 17:34, Salz, Rich a écrit : #define PEM_STRING_X509_PAIR"CERTIFICATE PAIR" (note, this is supposed to encapsulate a CertificatePair structure from X.509) This is not used anywhere in openssl. I just removed it and did a build :) The fact that the fields are named forward

Re: [openssl-dev] OpenSSL and certain PEM formats

> > I am putting the finishing touches on an Internet-Draft for textual > > encodings of security structures > > , which > > OpenSSL refers to as the "PEM format". Cool. You know why it's called PEM format, right? (RFC 1115 et al) > >

Re: [openssl-dev] OpenSSL and certain PEM formats

On Wed, Dec 17, 2014 at 02:37:08AM -0800, Sean Leonard wrote: > Hi OpenSSL devs: > > I am putting the finishing touches on an Internet-Draft for textual > encodings of security structures > , which OpenSSL > refers to as the "PEM format".

[openssl-dev] OpenSSL and certain PEM formats

Hi OpenSSL devs: I am putting the finishing touches on an Internet-Draft for textual encodings of security structures , which OpenSSL refers to as the "PEM format". While reviewing OpenSSL's behavior, I noticed a few esoteric labels