[DRAFT] Expose selected certificate types in Cert Verify callbacks #2266
Conversation
|
I wonder if it's feasible to do this backwards compatibly by introducing new methods in the verifier traits that just yield the appropriate response if they get an identity type they don't understand. Also please make IdentityDer non-exhaustive. |
|
@djc good idea, added the appropriate methods, I think this should work asfaict. They will need some naming work, so for now I just prefixed them with |
|
I would kind of expect |
That makes sense, but if we do this, how would we use this type in |
|
Any more thoughts on if I should fill this out with logic, or do you think this is not realistic to merge this? |
I'm fairly ambivalent personally but would be interested in what the other maintainers are thinking. From my side I think it's introducing complexity that seems to only support a use case had by users in one particular niche that evaluated Rustls/TLS for their needs, found a traditional PKI a bad fit, and so deployed a hack that now complicates migration to a better solution. I'm sympathetic since the better solution wasn't available at the time, but I'm also not eager to complicate Rustls to support what seems like an improvement with a limited shelf-life (AIUI eventually all mixed deployments will be RPK only and new deployments should be RPK only from the jump). |
Working on a design to solve #2258
Currently the design is based on the latest suggestion from @djc in #2258
PKI Types branch: https://github.com/dignifiedquire/pki-types