[gnutls-devel] Proposal for the ASN.1 form of TPM1.2 and TPM2 keys

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Dec 24 14:25:00 CET 2016

On Fri, Dec 23, 2016 at 7:06 PM, James Bottomley
<James.Bottomley at hansenpartnership.com> wrote:
> The reason this comes about is because we already have a standard form
> for TPM 1.2 keys here:
> http://david.woodhou.se/draft-woodhouse-cert-best-practice.html#ident-tpm
> However, since I'm working on TPM2 enabling for openssl and gnutls, I
> need to come up with a new key format because TPM2 requires some extra
> parameters and the original TSS KEY BLOB, being a single
> ASN1_OCTET_STRING isn't expandable.
> I'm torn on where to get the OIDs from.  Since this is a TPM key, it
> might make sense to use the TCG OID (2.23.133) and just add something
> they haven't already used, like 10 for key formats, or we could go with
> a pkcs OID (1.2.840.113549.1)

OIDs under some umbrella normally need to be registered within the
organization they belong to. If you cannot find a suitable
organization to get these OIDs from I'll check whether we can get
something under redhat's OIDs.

> If we can agree on this, we can update David's document and make it a
> formal RFC.

Shouldn't version be first? However, I'm not sure how expandable is
ASN.1 using version fields (I've seen no structure being able to be
re-used using a different version). An alternative approach would to
allow for future extensions, i.e., something like the PKIX Extension
field, which is an OID+data.


More information about the Gnutls-devel mailing list