Re: gnome-keyring Question about ACL per storage item

[Elena Reshetova <elena reshetova gmail com>]

Hi Anders, 

Thank you for your reply! It is always good to hear that you aren't alone with your own requirements. I am hoping to get more replies from people on this mailing list. 

I understand that everybody is resource-constrained and that's why I was asking more about a desire to have this functionality rather when just saying "give it to me" :) If desires match, then there is a possibility of collaboration and additional of functionality that may be needed by everyone. It is also a question of vision: how people see the gnome keyring development int he future. 

I am not sure we have such an advance requirements to "issue" keys with ACL attached, but I think we would be satisfied by just be able to separate keys, certificates and secrets usage and access (these are two different things) between different applications on the platform. 

Best Regards,
Elena.

On Thu, Oct 20, 2011 at 11:12 PM, Anders Rundgren <anders rundgren telia com> wrote:

Hi Elena,
The question you ask has been raised before by me.
I also think this is a *very* valid requirement and I'm (pretty) sure it will be a standard feature in Windows 8.

Unfortunately it seems that the Linux world lacks the product management and resource coordination needed for making this happen anyway soon.
Stef Walter is doing a fantastic job but there are limits to what one person can accomplish.

Anyway, fixing the keyring won't get you far; you need to be able to *issue* keys with ACLs attached and that part is horribly lagging not only in Linux but in most systems.

FWIW, I'm running such an effort but I'm (at least) as resource-constrained as Stef so it surely doesn't go fast.  In addition, I need to get my stuff into browsers and that is *really* difficult.  Not technically, but politically.

BTW, trusted application is already a part of the Google wallet.  How they accomplish this is currently not described.  The crypto chip is NDA-protected as well :-(

Anders
http://webpki.org/auth-token-4-the-cloud.html

On 2011-10-20 09:17, Elena Reshetova wrote:

Hi,

I have been studying different solutions available in Linux for securely storing certificates, keys and other credentials and one of the solutions I am going through is Gnome Keyring.
I saw that it used to have ACL per item in the storage, where one can specify basic read/write/delete rules and identify application (or applications?) that is allowed to use the item. However, this functionality is now marked deprecated and I could not find explanations for such decision.

The use case I am interested in is very simple. I am as a user would like to be able to control what of my secrets are accessible to which applications on the system. Because I may have very different applications installed on my system and not trust each of them in the same way. For example, I may have two different key pairs for signing my emails, one for corporate emails and one for personal. Similarly I may be forced to use two different mail clients: for private emails my favourite open-source mail client (that my company doesn't feel that it is trusted enough) and "company approved" mail client for company emails. And of course I would like to specify that these two email clients should be able to access only a private key from corresponding key pair for signing.

I can think of quite many use cases like that.

Are there any plans/desires to have such functionality supported in Gnome Keyring? It isn't listed in architecture goals and plans and that's why I am interested to ask.

Best Regards,
Elena.

_______________________________________________
gnome-keyring-list mailing list
gnome-keyring-list gnome org
http://mail.gnome.org/mailman/listinfo/gnome-keyring-list