On Thu, 2018-10-11 at 20:41 +0200, Nikos Mavrogiannopoulos wrote:

As a distribution representative for rhel/fedora, I really second that. There is no reason to create code for auto-detection as a typical application writer or app user would want to use "tpm2" rather a specific engine. In fact we are even hiding the engine loading when we can as this is a detail the user shouldn't bother.

In an ideal world I'd go even further and suggest we should have just one engine — all the ASN.1 parsing and OpenSSL interfacing, and the STORE bits I'd like to add, could exist just once. Likewise the policy parsing, in fact.

And the back end which actually talks to the TPM could have two variants, for both TSS stacks. Much like the code I've put into OpenConnect, which I'm hoping to palm off onto Nikos for GnuTLS... :)