Hi Elena,
The question you ask has been raised before by me.
I also think this is a *very* valid requirement and I'm (pretty) sure it will be a standard feature in Windows 8.
Unfortunately it seems that the Linux world lacks the product management and resource coordination needed for making this happen anyway soon.
Stef Walter is doing a fantastic job but there are limits to what one person can accomplish.
Anyway, fixing the keyring won't get you far; you need to be able to *issue* keys with ACLs attached and that part is horribly lagging not only in Linux but in most systems.
FWIW, I'm running such an effort but I'm (at least) as resource-constrained as Stef so it surely doesn't go fast. In addition, I need to get my stuff into browsers and that is *really* difficult. Not technically, but politically.
BTW, trusted application is already a part of the Google wallet. How they accomplish this is currently not described. The crypto chip is NDA-protected as well :-(
Anders
http://webpki.org/auth-token-4-the-cloud.html
On 2011-10-20 09:17, Elena Reshetova wrote:Hi,
I have been studying different solutions available in Linux for securely storing certificates, keys and other credentials and one of the solutions I am going through is Gnome Keyring.
I saw that it used to have ACL per item in the storage, where one can specify basic read/write/delete rules and identify application (or applications?) that is allowed to use the item. However, this functionality is now marked deprecated and I could not find explanations for such decision.
The use case I am interested in is very simple. I am as a user would like to be able to control what of my secrets are accessible to which applications on the system. Because I may have very different applications installed on my system and not trust each of them in the same way. For example, I may have two different key pairs for signing my emails, one for corporate emails and one for personal. Similarly I may be forced to use two different mail clients: for private emails my favourite open-source mail client (that my company doesn't feel that it is trusted enough) and "company approved" mail client for company emails. And of course I would like to specify that these two email clients should be able to access only a private key from corresponding key pair for signing.
I can think of quite many use cases like that.
Are there any plans/desires to have such functionality supported in Gnome Keyring? It isn't listed in architecture goals and plans and that's why I am interested to ask.
Best Regards,
Elena.
_______________________________________________ gnome-keyring-list mailing list gnome-keyring-list gnome org http://mail.gnome.org/mailman/listinfo/gnome-keyring-list