gnome-keyring Storage of trust assertions
- From: Stef Walter <stefw collabora co uk>
- To: "gnome-keyring-list gnome org" <gnome-keyring-list gnome org>
- Subject: gnome-keyring Storage of trust assertions
- Date: Tue, 07 Dec 2010 14:46:48 -0600
Hi all!
I've been doing some work on the storage of trust assertions in
gnome-keyring. These are used to store things like certificate
exceptions (per host), trust anchors, and certificate revocation lists.
I've been implementing the trust assertions rough draft spec [1] with
compatibility for netscape trust objects [2] as well.
libgcr has new functions [3] for looking up whether a certificate
exception exists for a given certificate, and looking up trust anchors
(among other things). These functions use PKCS#11 internally to access
the modules where this data is stored.
The storage takes place in the pkcs11/xdg-store PKCS#11 module.
BTW, I was thinking about signing the files containing the trust
assertions, with a key for each user. But it turns out this has no value
at all if malicious code can just replace the signing key. :S
All the above code in in the trust-store branch of gnome-keyring.
Cheers,
Stef
[1] rough draft: http://people.collabora.co.uk/~stefw/trust-assertions.html
[2] https://developer.mozilla.org/en/NSS/PKCS_%2311_Netscape_Trust
[3]
http://people.collabora.co.uk/~stefw/gcr-docs/gcr-Trust-Storage-and-Lookups.html
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
