Graham Leggett wrote: > On 03 Jan 2024, at 18:02, Howard Chu <h...@symas.com> wrote: > >>> https://bugs.openldap.org/show_bug.cgi?id=10149 >> >> Looks a bit like a chicken'n'egg situation, why should anyone trust the >> connection that was used to >> retrieve certs and keys from the designated URI? > > Not at all. > > We’re referring to URIs known to crypto libraries, such as pkcs11 URLs (for > smartcard interfaces) and tpmkey URIs for TPM chips.
Probably worth noting this in the manpages too then, that these are generally not internet URIs. > > https://www.rfc-editor.org/rfc/rfc7512.html > https://datatracker.ietf.org/doc/html/draft-mavrogiannopoulos-tpmuri-01 > > By default OpenSSL always supports the file:// URI, which points at PEM > encoded certs/keys/crls/params/etc. > > Other URIs might point at the MacOS keychain, or the Windows crypto api. It’s > up to the crypto library. > > Regards, > Graham > — > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
