Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: doc: clarify package is aimed towards Web PKI support #26624

Open
adamdecaf opened this issue Jul 26, 2018 · 6 comments
Open

crypto/x509: doc: clarify package is aimed towards Web PKI support #26624

adamdecaf opened this issue Jul 26, 2018 · 6 comments
Assignees
Milestone

Comments

@adamdecaf
Copy link
Contributor

@adamdecaf adamdecaf commented Jul 26, 2018

It's been noted before that crypto/x509 is aimed towards only supporting the Web PKI. (See: #16858 (comment) and #24151 (comment)) However the documentation doesn't clearly state that.

This means it's a bit unclear what to expect from this package.

  • Is it valid for SystemCertPool() to return certificates for email signing?
  • How forgiving should parsing / validation be?
  • What level of extensibility (re: OID's) should be supported?

Explaining non-goals would also be helpful.

@gopherbot
Copy link

@gopherbot gopherbot commented Jul 26, 2018

Change https://golang.org/cl/126136 mentions this issue: crypto/x509: clarify package is for the web pki

@adamdecaf
Copy link
Contributor Author

@adamdecaf adamdecaf commented Jul 26, 2018

@ianlancetaylor ianlancetaylor changed the title doc: crypto/x509: clarify package is aimed towards Web PKI support crypto/x509: doc: clarify package is aimed towards Web PKI support Aug 3, 2018
@ianlancetaylor ianlancetaylor added this to the Go1.12 milestone Aug 3, 2018
@odeke-em
Copy link
Member

@odeke-em odeke-em commented Jan 30, 2019

Kindly paging @FiloSottile, @agl commented on the CL, please take a look. Thank you.

@andybons andybons modified the milestones: Go1.12, Go1.13 Feb 12, 2019
@andybons andybons modified the milestones: Go1.13, Go1.14 Jul 8, 2019
@rsc rsc modified the milestones: Go1.14, Backlog Oct 9, 2019
@FiloSottile
Copy link
Member

@FiloSottile FiloSottile commented Jul 3, 2020

I think this would also be important in terms of ensuring the package can evolve as the PKI does. However, in practice we do support custom roots, so we can't just say "WebPKI only". What about this wording?

This package targets a profile of X.509 compatible with the WebPKI and other PKIs that follow the current CA/Browser Forum Baseline Requirements.

@sleevi, any opinions?

@sleevi
Copy link

@sleevi sleevi commented Jul 3, 2020

Yeah, I can't think of any better way to frame it, especially since you support things that are not permitted by the "Web PKI" profile (e.g. URI nameConstraints). Removing support for something the Web PKI removes support for is consistent with keeping the profiles compatible, while it's clear you don't limit support to exactly that profile.

@gopherbot
Copy link

@gopherbot gopherbot commented Jul 6, 2020

Change https://golang.org/cl/241118 mentions this issue: crypto/x509: clarify package use-case and implementation reasoning

@FiloSottile FiloSottile modified the milestones: Backlog, Go1.16 Oct 20, 2020
@FiloSottile FiloSottile self-assigned this Oct 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
8 participants
You can’t perform that action at this time.