Re: Progress on GNOME Certificate Store / gnome-keyring PKCS#11

From: Nate Nielsen <nielsen-list memberwebs com>
To: Simon Josefsson <simon josefsson org>
Cc: "desktop-devel-list gnome org" <desktop-devel-list gnome org>
Subject: Re: Progress on GNOME Certificate Store / gnome-keyring PKCS#11
Date: Tue, 3 Apr 2007 15:08:09 +0000 (UTC)

Simon Josefsson wrote:
> Cool!  Do I understand correctly that you will serialize the PKCS#11
> requests through a unix socket?  I think using unix sockets is a good
> idea, the experience with gpg-agent, scdaemon etc indicate this
> provides good isolation of programs and permit easy auditing.
> However, I don't follow how the PKCS#11 requests are transmitted over
> a unix socket -- AFAIK there is no serialized protocol of PKCS#11.
> I'm probably grossly misunderstanding your architecture, but having
> more information would be useful.

Currently, it's an internal private binary protocol of serialized
PKCS#11 requests. The public 'protocol' is PKCS#11 itself.

> I will work on GnuTLS to make it aware of and support this.
> Supporting Seahorse as the X.509 CA/key/certificate store would be
> really good. 

Yes, that'd be great. Although the certificate and key store I'm working
on is actually located in gnome-keyring.

> Whether it is through native PKCS#11 support, or some
> simpler protocol to a unix-socket connected process that in turn may
> talk PKCS#11 to other applications will is an open question.

That's obviously up to you, but you may find that you'll want to
exercise a large portion of the PKCS#11 API. It seems that loading a
(thread-aware, BTW) PKCS#11 module and calling a some function pointers
is easier that parsing some sort of protocol.

> As a first step of something simple that I can implement in GnuTLS,
> how would I retrieve all CA certificates from seahorse using your new
> interface?  Adding an API to make GnuTLS talk to seahorse and get the
> CAs seems like a useful first contribution.

Currently seahorse doesn't access the certificates. This whole project
is very much in the early stages. Soon code will be committed and things
will hopefully be clearer.

But if you do want to start on something, (and sorry to keep coming back
to this) you might want to look at how GnuTLS could load a PKCS#11
module and access its functionality. To do this you'd need to find an
appropriate PKCS#11 module from a project like NSS, opencryptoki or opensc.

> Btw, I'm still interested in working on integrating Kerberos-support
> in Seahorse.  You suggested gnome-keyring instead earlier.  Since the
> encryption keys will likely not be stored in gnome-keyring but rather
> remain in /tmp/krb5cc_UID (because that is where MIT/Heimdal will look
> for them), I think seahorse may conceptually be a better fit.  What do
> you think?  I'm not sure.  

Is this a UI for kerberos? Or a daemon to automatically retrieve and
renew tickets? I guess it would depend on that.

> I don't think I understand the conceptual
> differences between seahorse, gnome-keyring and gnome-keyring-manager
> fully.

Yeah, it's a bit confusing and as time goes by I'll be working to sort
this out. I'd especially like to reduce the number of daemons involved,
and 'random' processes that get run.

PROJECT: gnome-keyring

  gnome-keyring-daemon: The daemon which holds the user's passwords.
  In the future it'll also hold a X.509 certificate store and
  perhaps other types of keys.

  libgnome-keyring: A library for accessing gnome-keyring-daemon
  passwords.

  libgnome-keyring-cryptoki: Soon to be a PKCS#11 module for
  accessing X.509 certificate store in gnome-keyring-daemon.

PROJECT: seahorse

  seahorse: A encryption key and password manager. Accesses gpg and
  gnome-keyring-daemon and presents a UI where the user can change
  the properties, add, remove keys and passwords.

  seahorse plugins: Plugins to nautilus, gedit, panel etc. to expose
  GPG encryption to those who need it.

  libcryptui: A library for prompting the user to select a encryption
  recipients, keys etc. Uses seahorse-daemon

  seahorse-agent: A simple GPG agent. The hope is that eventually we
  can retire this in favor of GPG2's own agent.

  seahorse-daemon: A DBus API which allows listing, importing,
  exporting of encryption keys. Also enables public key sharing.

PROJECT: gnome-keyring-manager

  A UI for managing passwords in gnome-keyring-daemon. It seems that
  seahorse will fill this need, at least for all the 'non-power-user'
  type functionality.

Cheers,
Nate Nielsen

References:
- Progress on GNOME Certificate Store / gnome-keyring PKCS#11
  - From: Nate Nielsen
- Re: Progress on GNOME Certificate Store / gnome-keyring PKCS#11
  - From: Simon Josefsson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]