* Re: [edk2-discuss] a question about X509 flag [not found] <F1w5.1632732788218367077.BY2j@groups.io> @ 2021-09-27 9:21 ` Marvin Häuser 2021-09-27 13:14 ` wenyi,xie 0 siblings, 1 reply; 2+ messages in thread From: Marvin Häuser @ 2021-09-27 9:21 UTC (permalink / raw) To: discuss, xiewenyi2 Cc: jiewen.yao, Jian J Wang, xiaoyux.lu, guomin.jiang, devel@edk2.groups.io Hey Wenyi, Sorry, I cannot help with the time one, but "partial chain" is how virtually any other crypto-solution works out-of-the-box. Basically there is a disagreement about what defines a root certificate, and while some think it is the OpenSSL default of requiring a self-signed certificate for root, many people including myself strongly disagree and do not believe it follows from the RFCs. I'm not aware of any bad security implications of either model. So, this merely allows any certificate in the chain (the top one may be self-signed *if* it even is a certificate, it may just as well be a trusted public key for all we know) to be eligible to be added to the trust store and root a trust chain. Further reading: https://github.com/openssl/openssl/issues/7871 Cc CryptoPkg maintainers and edk2-devel for further feedback Best regards, Marvin On 27/09/2021 10:53, wenyi,xie via groups.io wrote: > Hello, > > I have a question about flag set in X509_STORE. Does anyone know why need to set flags X509_V_FLAG_PARTIAL_CHAIN and X509_V_FLAG_NO_CHECK_TIME to X509Store in TlsNew() (CryptoPkg\Library\TlsLib\TlsInit.c) > > Thanks > Wenyi > > > > > ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [edk2-discuss] a question about X509 flag 2021-09-27 9:21 ` [edk2-discuss] a question about X509 flag Marvin Häuser @ 2021-09-27 13:14 ` wenyi,xie 0 siblings, 0 replies; 2+ messages in thread From: wenyi,xie @ 2021-09-27 13:14 UTC (permalink / raw) To: Marvin Häuser, discuss Cc: jiewen.yao, Jian J Wang, xiaoyux.lu, guomin.jiang, devel@edk2.groups.io On 2021/9/27 17:21, Marvin Häuser wrote: > Hey Wenyi, > > Sorry, I cannot help with the time one, but "partial chain" is how virtually any other crypto-solution works out-of-the-box. Basically there is a disagreement about what defines a root certificate, and while some think it is the OpenSSL default of requiring a self-signed certificate for root, many people including myself strongly disagree and do not believe it follows from the RFCs. I'm not aware of any bad security implications of either model. So, this merely allows any certificate in the chain (the top one may be self-signed *if* it even is a certificate, it may just as well be a trusted public key for all we know) to be eligible to be added to the trust store and root a trust chain. > Thank you for your explanation in detail, it helps a lot. X509_V_FLAG_PARTIAL_CHAIN is clear to me now. Wenyi > Further reading: https://github.com/openssl/openssl/issues/7871 > > Cc CryptoPkg maintainers and edk2-devel for further feedback > > Best regards, > Marvin > > On 27/09/2021 10:53, wenyi,xie via groups.io wrote: >> Hello, >> >> I have a question about flag set in X509_STORE. Does anyone know why need to set flags X509_V_FLAG_PARTIAL_CHAIN and X509_V_FLAG_NO_CHECK_TIME to X509Store in TlsNew() (CryptoPkg\Library\TlsLib\TlsInit.c) >> >> Thanks >> Wenyi >> >> >> >> >> > > . ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-09-27 13:15 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <F1w5.1632732788218367077.BY2j@groups.io>
2021-09-27 9:21 ` [edk2-discuss] a question about X509 flag Marvin Häuser
2021-09-27 13:14 ` wenyi,xie
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox