Hi Elena,
The question you ask has been raised before by me.
I also think this is a *very* valid requirement and I'm (pretty)
sure it will be a standard feature in Windows 8.
Unfortunately it seems that the Linux world lacks the product
management and resource coordination needed for making this happen
anyway soon.
Stef Walter is doing a fantastic job but there are limits to what
one person can accomplish.
Anyway, fixing the keyring won't get you far; you need to be able to
*issue* keys with ACLs attached and that part is horribly lagging
not only in Linux but in most systems.
FWIW, I'm running such an effort but I'm (at least) as
resource-constrained as Stef so it surely doesn't go fast. In
addition, I need to get my stuff into browsers and that is *really*
difficult. Not technically, but politically.
BTW, trusted application is already a part of the Google wallet.
How they accomplish this is currently not described. The crypto
chip is NDA-protected as well :-(
Anders
http://webpki.org/auth-token-4-the-cloud.html
On 2011-10-20 09:17, Elena Reshetova wrote:
Hi,
I have been studying different solutions available in Linux for
securely
storing certificates, keys and other credentials and one of the
solutions I am
going through is Gnome Keyring.
I saw that it used to have ACL per item in the storage, where
one can specify
basic read/write/delete rules and identify application (or
applications?) that
is allowed to use the item. However, this functionality is now
marked
deprecated and I could not find explanations for such decision.
The use case I am interested in is very simple. I am as a user
would like to be
able to control what of my secrets are accessible to which
applications on the
system. Because I may have very different applications installed
on my system
and not trust each of them in the same way. For example, I may
have two
different key pairs for signing my emails, one for corporate
emails and one for
personal. Similarly I may be forced to use two different mail
clients: for
private emails my favourite open-source mail client (that my
company doesn't
feel that it is trusted enough) and "company approved" mail
client
for company emails. And of course I would like to specify that
these two email
clients should be able to access only a private key from
corresponding key pair
for signing.
I can think of quite many use cases like that.
Are there any plans/desires to have such functionality supported
in Gnome
Keyring? It isn't listed in architecture goals and plans and
that's why I am
interested to ask.
Best Regards,
Elena.
_______________________________________________
gnome-keyring-list mailing list
gnome-keyring-list gnome org
http://mail.gnome.org/mailman/listinfo/gnome-keyring-list
|
