Hello golang-dev@googlegroups.com, agl@golang.org, rsc@golang.org, alex.brainman@gmail.com (cc: golang-dev@googlegroups.com, kalthorn@gmail.com), I'd like you to review this change ...
14 years, 1 month ago
(2012-02-25 16:52:48 UTC)
#1
Thank you for doing the work but I'm afraid that I must admit to feeling ...
14 years, 1 month ago
(2012-02-26 21:18:09 UTC)
#2
Thank you for doing the work but I'm afraid that I must admit to feeling that
this isn't right. It's also crypto/tls specific rather than being available to
any users of crypto/x509.
My feeling is that crypto/x509 can export a *CertPool on Windows meaning `the
system roots' and then crypto/x509.*Certificate.Verify can recognise this magic
and have CAPI build the chains directly. CAPI is generally very good code.
I think this reuses much of this CL and hopefully the result is cleaner and more
general.
On 2012/02/26 21:18:09, agl1 wrote: > Thank you for doing the work but I'm afraid ...
14 years, 1 month ago
(2012-02-26 21:35:07 UTC)
#3
On 2012/02/26 21:18:09, agl1 wrote:
> Thank you for doing the work but I'm afraid that I must admit to feeling that
> this isn't right. It's also crypto/tls specific rather than being available to
> any users of crypto/x509.
>
> My feeling is that crypto/x509 can export a *CertPool on Windows meaning `the
> system roots' and then crypto/x509.*Certificate.Verify can recognise this
magic
> and have CAPI build the chains directly. CAPI is generally very good code.
>
> I think this reuses much of this CL and hopefully the result is cleaner and
more
> general.
SGTM, but can we do this without adding exports to crypto/x509 (I suppose that
would break the API freeze)?
I suppose we could overload a nil CertPool to mean system roots for Windows, and
change it after Go 1. Any better suggestions?
On Sun, Feb 26, 2012 at 4:35 PM, <krautz@gmail.com> wrote: > I suppose we could ...
14 years, 1 month ago
(2012-02-26 21:41:01 UTC)
#4
On Sun, Feb 26, 2012 at 4:35 PM, <krautz@gmail.com> wrote:
> I suppose we could overload a nil CertPool to mean system roots for
> Windows, and change it after Go 1. Any better suggestions?
Oh yes, absolutely. I think nil should mean system roots in
crypto/tls. Simply adding exports doesn't break an API, even if other
packages in the core use them, it's only when existing, external, code
would have to change that it's an issue.
Cheers
AGL
On 2012/02/26 21:41:01, agl1 wrote: > On Sun, Feb 26, 2012 at 4:35 PM, <mailto:krautz@gmail.com> ...
14 years, 1 month ago
(2012-02-26 21:55:10 UTC)
#5
On 2012/02/26 21:41:01, agl1 wrote:
> On Sun, Feb 26, 2012 at 4:35 PM, <mailto:krautz@gmail.com> wrote:
> > I suppose we could overload a nil CertPool to mean system roots for
> > Windows, and change it after Go 1. Any better suggestions?
>
> Oh yes, absolutely. I think nil should mean system roots in
> crypto/tls. Simply adding exports doesn't break an API, even if other
> packages in the core use them, it's only when existing, external, code
> would have to change that it's an issue.
I actually meant in crypto/x509 -- to avoid adding an export. But if adding one
is fine, I'll do that.
Should I just move all root fetchers to crypto/x509 and export their pools via
x509.*SystemRootPool while I'm there?
Issue 5694078: code review 5694078: crypto/tls: use windows's lazy root fetching
(Closed)
Created 14 years, 1 month ago by mkrautz
Modified 14 years, 1 month ago
Reviewers: golang-dev, agl1, rsc, brainman
Base URL:
Comments: 4
