Hi Matthew, Am Montag 17 Oktober 2011, um 23:48:01 schrieb Matthew Barnes: > On Mon, 2011-10-17 at 15:21 +0200, Christian Hilberg wrote: > > Fair enough, thanks for clarifying. If that's the current status, then > > nothing is lost if we keep the implementation as-is for now and try it > > again later on. > > Still not sure how this whole security puzzle fits together yet, but > this sounds like a piece of it: > > http://stef.thewalter.net/2011/10/redesigning-seahorse-experience.html > > Seahorse (or the library stack that Seahorse is built on) is supposedly > adding support for NSS certificates by GNOME 3.4. This reads interesting, for sure. > That means we should soon be able to plug into Seahorse for certificate > management instead of talking to NSS directly some time next year. At > least that's my hope. The email (backend) factory which is in the makings for carving out email handling from the Evo frontend would surely need a way to be fed with passwords, be it standard user auth or any more advanced thing like opening a security token with a PIN and reading authentication data (like client certificates) from there. Once configured in seahorse, Evo might not need to do more than presenting a dialogue for the general seahorse (stack) password, and everything is set from there on, since the email factory, and possibly other factories as well, will be granted access to the passwords or other authentication data they need, all handled by a service which is controlled/configured via seahorse. Maybe this is a perspective for solving that whole security puzzle? > I highly encourage you to contact Stef about your smart card issue, as > he can certainly paint a clearer picture than I can. I will do so. I've seen his posts on gnutls-devel regarding the PKCS#11 stuff, and it really seems things start working out in this area. I'm presently having the issue that OpenLDAP won't use a client certificate, since it builds against GnuTLS, and the security token handling is not transparent there for a lib like OpenLDAP. Instead, the application needs to handle all details by itself. My hope would be that this whole seahorse effort will solve most of the trouble... :) Thanks for the hint and kind regards, Christian -- kernel concepts GbR Tel: +49-271-771091-14 Sieghuetter Hauptweg 48 D-57072 Siegen http://www.kernelconcepts.de/
Attachment:
signature.asc
Description: This is a digitally signed message part.