Simo Sorce
Simo Sorce
Forgot that CI is foobar, but this LGTM. Want me to push?
We can probably allow a PUT with a query option to indicate we want to replace, or just simply always allow to replace.
Replace is probably the better semantic, otherwise 2 concurrent clients can end up stomping on each other.
I am tempted to say we want CAS, but probably a simple replace is fine, as long as at all times the secret actually "exists", I want to avoid the...
@paulidale indicators are not a hack, but an explicit requirement of the new FIPS-140-3 standard. We kind of invented the concept of implicit indicators, but having explicit ones is the...
@t8m @paulidale Just to move the discussion along this is an example of what indicators could look like: https://github.com/simo5/openssl/commit/f38ca9f089a17b85a9ab54b39cfc4cb935cef15b Key aspects: - it allows to confine FIPS checks to the...
The SPI between fips.so and libcrypto.so is different from the API you get from libcrypto.so You need to look at libcrypto to find out what the public APIs are. Even...
Yeah absolutely agree, in fact I already felt the need for this in the pkcs11 provider because KDFs or KEMs generate keys. Not all tokens allow for exporting them as...
FWIW you may want to ake in consideration this message from NIST: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Mf2kemwwreY/m/KArjoIhxAQAJ The part to take in consideration is the ability to have separate access layers to the functions,...