PKCS 12 support questions

Werner Koch wk at
Thu Jan 23 10:50:22 CET 2014

On Mon, 20 Jan 2014 19:36, dbaryshkov at said:

>> Because pkcs#12 is an entirely broken design and I did this only on
>> customer request for migrating existisng keys.
> By the way, what is so broken in pkcs#12 in your opinion? It looks like

See Peter Gutmann's take on it:

  PFX - How Not to Design a Crypto Protocol/Standard

  This document was originally intended to be a companion to my X.509
  style guide, containing various hints and tips on how best to
  implement PFX/PKCS #12. However after trying to read it several times
  over, I've come to the conclusion that if this came from anyone but
  Microsoft, it would probably be regarded as some kind of deliberate
  sabotage attempt on crypto PDU design. After a week or so of not being
  able to bring myself to touch it I'd think "It can't be that bad, it
  just can't be that bad", and then go back and start reading again and
  find that it really *was* that bad.

  As it turns out, because PFX is so comprehensively broken it's far
  easier to take the style guides "try and do this to demonstrate good
  style" and turn it around into PFX's "do this to demonstrate bad
  style". As a result, I've decided to do a rant instead of a proper
  discussion like the style guide. Rants are far more fun to write

  So, here's the PFX anti-style guide, or "How not to design a crypto




Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list