PKCS 12 support questions
Werner Koch
wk at gnupg.org
Thu Jan 23 10:50:22 CET 2014
On Mon, 20 Jan 2014 19:36, dbaryshkov at gmail.com said:
>> Because pkcs#12 is an entirely broken design and I did this only on
>> customer request for migrating existisng keys.
>
> By the way, what is so broken in pkcs#12 in your opinion? It looks like
See Peter Gutmann's take on it:
https://www.cs.auckland.ac.nz/~pgut001/pubs/pfx.html
PFX - How Not to Design a Crypto Protocol/Standard
This document was originally intended to be a companion to my X.509
style guide, containing various hints and tips on how best to
implement PFX/PKCS #12. However after trying to read it several times
over, I've come to the conclusion that if this came from anyone but
Microsoft, it would probably be regarded as some kind of deliberate
sabotage attempt on crypto PDU design. After a week or so of not being
able to bring myself to touch it I'd think "It can't be that bad, it
just can't be that bad", and then go back and start reading again and
find that it really *was* that bad.
As it turns out, because PFX is so comprehensively broken it's far
easier to take the style guides "try and do this to demonstrate good
style" and turn it around into PFX's "do this to demonstrate bad
style". As a result, I've decided to do a rant instead of a proper
discussion like the style guide. Rants are far more fun to write
anyway.
So, here's the PFX anti-style guide, or "How not to design a crypto
protocol/standard".
[...]
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-devel
mailing list