Thanks for creating the issue to clarify the doc.
Some more related background / general comments / enhancement ideas:
- Interacting with certificates and keys stored in files is quite common, and there are lots of use cases for certs / keys besides TLS. For example, in my use case, I actually did not need TLS in this particular module -- I was just doing some certificate / key validation. Therefore, I originally went looking for and was expecting to find these utility "load from file"-type functions in crypto/x509, not crypto/tls. Perhaps it makes sense to re-factor / re-layer / re-abstract some of this file-based functionality into crypto/x509 to conveniently open up more general use cases and where the parsed status of any certs / keys would always be explicit and/or self-documenting. In doing so, crypto/tls could continue to preserve the lowest memory footprint assuming the more common server-side TLS use case.
- Along the lines of LoadX509KeyPair, in crypto/x509, it would also be very convenient if "to/from file" functionality ("Load" / "Store") could be extended to certs and all the public/private key types (PKCS1, PKCS8, EC, PKIX, etc.). Not having to lookup the correct PEM-block type or write the file-wrapper functions (or invoke openssl commands) means less mistakes, less duplicate code, and just less time spent. This would also definitely help developers coming from other, older languages (e.g., Java, .NET) where such utility functions have become part of their built-in crypto libraries.
I understand resources are limited, and the crypto investments put into GO so far have been the minimum needed to support more common / popular like TLS 1.2. But, hopefully, further investment, especially on the convenience front, is not completely off the table or at the very bottom of the priority stack.
I'm not a cryptographer, but I'm happy to contribute however I can.
Thanks again for all your efforts.
Regards,
Omar