Graham Leggett wrote:
On 03 Jan 2024, at 18:02, Howard Chu hyc@symas.com wrote:
Looks a bit like a chicken'n'egg situation, why should anyone trust the connection that was used to retrieve certs and keys from the designated URI?
Not at all.
We’re referring to URIs known to crypto libraries, such as pkcs11 URLs (for smartcard interfaces) and tpmkey URIs for TPM chips.
Probably worth noting this in the manpages too then, that these are generally not internet URIs.
https://www.rfc-editor.org/rfc/rfc7512.html https://datatracker.ietf.org/doc/html/draft-mavrogiannopoulos-tpmuri-01
By default OpenSSL always supports the file:// URI, which points at PEM encoded certs/keys/crls/params/etc.
Other URIs might point at the MacOS keychain, or the Windows crypto api. It’s up to the crypto library.
Regards, Graham —