Re: gnome-keyring Seahorse and smart cards (OpenSC) / FOSDEM

[Stef Walter <stefw gnome org>]

On 2010-09-20 11:09, Martin Paljak wrote:
> Hello,

Hi! Good to have you. I was away most of the week, and I just now saw
your interesting email.

> There have been past mentions of OpenSC on this list [1] and
> Seahorse/GnomeKeyring in OpenSC list [2].
> 
> I'm not a full time Linux user but when I do, I run GNOME. So it was
> really interesting to find out about Seahorse and GnomeKeyring in
> general. I've been playing with the ~/.ssh PKCS#11 module and trying
> to understand the architecture [3], which was also mentioned on
> opensc-devel [4] (sorry about those long unreadable lines, I'll try
> to tweak my mail client to not do so in the future).
> 
> Unfortunately, there was no information I could find about what
> happened on the GAUDEC BOF [5].

blush... The BOF didn't really turn out the way a BOF should. We had
some really interesting discussion about security in general. But we
didn't end up producing much progress or action items.

That's my fault I guess. It was my first GUADEC and first time leading a
BOF. I hope to participate better and precipitate things better next time.

> Some presentations?

Yes, there were several of security presentations at GUADEC. As I posted
elsewhere, my talk was about PKCS#11 and bringing together an
infrastructure for usable crypto in GNOME:

http://memberwebs.com/stef/misc/guadec-usable-crypto.pdf

> How many people besides the ones listed on the wiki?

About 15 to 20 at the BOF, I think.

> I still don't fully understand what Seahorse/GnomeKeyring wants to
> become (when compared to QCA [6] or OSX Keychain) 

GnomeKeyring is something like OSX Keychain internals, it stores
passwords, secrets, keys and certificates.

Seahorse is the key manager for GPG keys, passwords, and certificates
(via PKCS#11). Seahorse is the UI.

GnomeKeyring has its focus on common and secure storage of secrets, keys
and certificates. We haven't tried to make it into a crypto library.
It's supposed to be useful together with lots of other components
(including QCA) and bring them together.

OpenSC creates drivers for smart cards and related infrastructure.
GnomeKeyring and OpenSC use a lot of the same technologies, and can
interoperate in various ways.

A lot of the pieces of the puzzle for all this integration are coming
together, but there's a lot more polish necessary.

My presentation at GUADEC had a lot of info about this goal.

There's so much to do to have a polished and usable linux desktop
crypto. Even though people have different goals, the 'space' is so big
that we can work and interact without stepping on each others toes.

> or how exactly it
> matches what OpenSC is trying to go, but I'm sure tighter
> vision-sharing helps to get there faster.

Yes for sure.

> There have been a long time idea to organize a meetup of OpenSC
> developers and the best idea would be to do it at some nice
> conference. FOSDEM [7] seems to be the perfect candidate. To make the
> event fruitful, the idea of having a devroom with "Security /
> hardware crypto keys" . I will not repeat what I wrote on
> opensc-devel [7], but I'm looking for potential visitors to the event
> and try to gather a common set of interests and requirements/tangible
> tasks for a devroom and also ideas for workshops and code sprints and
> whatnot.

Very cool. I'd be interested in taking part.

BTW, I'd suggest subscribing to the gnome-keyring-list gnome org mailing
list, as gnome-keyring is where a most of the PKCS#11 action in GNOME
takes place. Although it's a goal to have seahorse be a good UI and key
manager for PKCS#11 tokens as well.

Cheers,

Stef