On Mon, 2016-03-14 at 22:34 +0000, Blumenthal, Uri - 0553 - MITLL wrote: > I’d personally prefer the cms app to have internal logic “if -engine is > specified and the cert name starts with ‘pksc11:’ then load it via > engine”.
So you don't want the -keyform argument to exist either? That would also be redundant, by the same logic. And I'm not sure it's true. > It’s been suggested in another forum that perhaps openssl should > automatically load the appropriate engine if the resource (key || pubkey > || cert) is specified via URI that starts with the engine name (like > “pkcs11:”). I dislike this, because it could be used to provoke OpenSSL into loading arbitrary engines. It also dramatically increases the chance of accidental collision with real filenames. But I suppose if it was restricted to explicitly-configured prefixes, that would be tolerable. But seriously, I was mostly planning to ditch the engine completely for PKCS#11, and add code to crypto/pkcs11/ to do things directly. -- David Woodhouse Open Source Technology Centre [email protected] Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
