[Cryptography-dev] Keys/Certificates/CRLs/x509 in pyOpenSSL

[Cory Benfield]

> On 28 Dec 2015, at 09:35, Hynek Schlawack <hs at ox.cx> wrote:
> 
> Hi,
> 
> we have quite a bit of pull requests on pyOpenSSL that revolve around improving the state of x509 objects in general as far as I understand it.
> 
> Since I already got reprimanded by Alex G for merging one because cryptography has routines for that, I wonder if we should close them all as WONTFIX and instead add methods akin to `PKey.from_cryptography()`, `key_instance.to_cryptography()`.
> 
> I welcome any feedback.  The current pyOpenSSL situation which is mostly a swamp of guilt is becoming unbearable to me.  When I took over maintainership I made it clear that I see myself mostly as a repo janitor and Bad Ideas Deflector™.  Sadly that’s not working out at all.  Getting rid of the burden of actually moving forward a whole sub-system might alleviate that a bit I guess (this is not meant as an ultimatum, I have no idea if it’d help).

As official “sometimes helps Hynek when he feels sad” person, I’m strongly in favour of deprecating whatever we can from PyOpenSSL if there is a good alternative available (i.e. cryptography). It’s frustrating and perplexing that installing PyOpenSSL gives you two interfaces for working with X509 certs, and where the top layer is arguably *less* helpful (and definitely more surprising) than the layer it uses to do the real work.

To make this kind of deprecation work I think we definitely need a to/from cryptography method to have been in place for a while, so I’m in favour of this plan. Long term, however, I want PyOpenSSL stripped down to be only what cryptography itself does not do.

Cory
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20151228/03f489a4/attachment.sig>