[Cryptography-dev] Keys/Certificates/CRLs/x509 in pyOpenSSL

Hynek Schlawack hs at ox.cx
Mon Dec 28 04:35:15 EST 2015 

Hi,

we have quite a bit of pull requests on pyOpenSSL that revolve around improving the state of x509 objects in general as far as I understand it.

Since I already got reprimanded by Alex G for merging one because cryptography has routines for that, I wonder if we should close them all as WONTFIX and instead add methods akin to `PKey.from_cryptography()`, `key_instance.to_cryptography()`.

# Questions

- Am I misunderstanding something completely and this can’t happen for practical reasons?
- Does cryptography have everything in place to achieve this at all?

# Upsides

- Keeps pyOpenSSL from playing catch-up.
- Saves work in the long term.
- Gives users more power independently from pyOpenSSL releases.
- Risks of breaking backward compatibility are rather low.
- People would get used to do x509 work with cryptography in preparation for `cryptography.tls`.

# Downsides

- I would need *active* help from either Paul or Alex G or someone who really understands both x509 (I know, nobody actually understands that, please don’t go there) and the cryptography layer on both drafting this up and implementing it.
  Therefore this is absolutely *not my call* to make.
- It would further delay improvements to pyOpenSSL and the people on the bug tracker are already rightfully rather restless.  I’m afraid this might lead to months of nothing happening.

***

I welcome any feedback.  The current pyOpenSSL situation which is mostly a swamp of guilt is becoming unbearable to me.  When I took over maintainership I made it clear that I see myself mostly as a repo janitor and Bad Ideas Deflector™.  Sadly that’s not working out at all.  Getting rid of the burden of actually moving forward a whole sub-system might alleviate that a bit I guess (this is not meant as an ultimatum, I have no idea if it’d help).

Best,
—h
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20151228/5564ef9e/attachment.sig>

More information about the Cryptography-dev mailing list