Re: gnome-keyring & NSS

[Stef Walter <stef memberwebs com>]

I hope it's okay if I CC my response to the (new) gnome-keyring mailing
list.

Hans Petter Jansson wrote:
> Hi. I have some questions about gnome-keyring in relation to the storage
> of cryptographic certificates and other secrets.
> 
> We're set to implement a shared certificate store on openSUSE, based on
> NSS 3.12's ability to let multiple applications share the same store. In
> the first pass, we'll likely support sharing certificates between at
> least Evolution, OpenOffice, Firefox and NetworkManager, and we're
> hoping to do this by patching these apps to use a shared location for
> their NSS databases.
> 
> NetworkManager, however, is in a special position as it already uses
> gnome-keyring to store secrets for WPA and VPNs. How feasible would it
> be for us to use gnome-keyring for storing certificates and other
> secrets using the shared NSS database as a backend, on GNOME 2.24? How
> could we (me and/or Tambet Ingo) help out to make this possible, granted
> that we're not experts in this area?

gnome-keyring can't really store it's passwords in NSS presently. To do
something like that would need a moderate rewrite of the crypto code.
However there's good news :)

Since gnome-keyring is  PKCS#11 provider, all the various crypto
libraries (like GnuTLS, NSS, and OpenSSL) can use the keyring stored
within gnome-keyring.

In one way it's a bit confusing that linux has no standard crypto
library, but the nice thing is that they support the PKCS#11 standard
and in this manner are able to share keys, crypto cards, etc...

This may need some fine tuning and bug fixes but I think this is where
our work should be focused when it comes to integration. Any
participation in this area is more than welcome, and I can help get
anyone started who is interested.

In addition 'seahorse' the key manager for Gnome will be able to edit
keys via PKCS#11 as well. The basic code is already in place, but is not
yet enabled for 2.24.

Cheers,

Stef Walter