Re: gnome-keyring has SSH, X.509 certificate and key support

From: Stef Walter <stef-list memberwebs com>
To: Luis Villa <luis tieguy org>
Cc: "desktop-devel-list gnome org" <desktop-devel-list gnome org>
Subject: Re: gnome-keyring has SSH, X.509 certificate and key support
Date: Mon, 3 Dec 2007 20:15:36 +0000 (UTC)

Luis Villa wrote:
> Comment 1: this is awesome. I'm very psyched to finally see proper ssh
> support, and in general to see better identity/key management in
> GNOME. This is hugely important- I think much more so than people seem
> to realize.

Yes. I hope that with a solid modern PK infrastructure, applications
will be able to use encryption in a way that doesn't stomp on users toes.

> Comment 2: will I still be required to re-auth post login with this
> release? or will access to the default keyring now be automatic with
> login? (You make reference to a 'login keyring', so I'm optimistic
> this is what you mean, but I wanted to double-check.)

Yes, this is probably the most compelling reason for GNOME having a real
certificate and key store: The integration with the users login.

gnome-keyring 2.20 included support for unlocking the user's keyrings
with the user's login password. And the current certificate store builds
on that functionality.

The 'login' keyring is a keyring that is unlocked by PAM upon successful
authentication. When a private key needs to be unlocked (for example
when using it to do an SSH login), the 'login' keyring is checked for a
relevant password.

Obviously support is there for those with differing security needs, and
prompts will show up for keys that have no automatic unlock password
present.

> Comment 3: have you talked to the Novell guys working on the Bandit
> Project aka DigitalMe? I just installed their linux build and firefox
> plugin[1] and got a really great authentication experience with two
> sites that use the CardSpace aka InfoCard standard.[2] It seems to
> already interoperate with the keyring, which is great, but it seems
> like it would be good if GNOME made sure to reach out to them and make
> sure that we're providing what they need.

Interesting. I'll drop them a note [1].

Cheers,
Stef Walter

[1] ... once I can manage to figure out access their mailing list
without giving them an insane amount of personal info and '[x] we can
spam you and yours' in order to create a 'Novell' account.

References:
- gnome-keyring has SSH, X.509 certificate and key support
  - From: Stef Walter
- Re: gnome-keyring has SSH, X.509 certificate and key support
  - From: Luis Villa

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]