Re: gnome-keyring PKCS#11 library as a GnomeKeyring backend

From: Stef Walter <stefw gnome org>
To: Alexey Fedoseev <a fedoseev wwpass com>
Cc: gnome-keyring-list gnome org
Subject: Re: gnome-keyring PKCS#11 library as a GnomeKeyring backend
Date: Mon, 16 Apr 2012 19:05:22 +0200

On 2012-04-16 15:30, Alexey Fedoseev wrote:
>>> Right now I have two ideas:
>>> 1) add one more pksc11 keyring storage based on the specified external
>>> pkcs11 module (e.g. particular smartcard module)
>>
>> Do you mean storing passwords on a smart card?
> 
> I mean storing and generating keys and certificates on a smart card that
> supports this functionality (through the pkcs#11 interface). This could
> be nice hardening option for the gnome-keyring.

Right. I've been working on that. The Seahorse key manager can now do
this for any PKCS#11 compatible smart card with a few caveats. Are you
interested in trying it out?

Gnome Keyring can also store keys and certificates (prototype, not
completely finished). It installs a PKCS#11 module for this purpose.
These keys and certificates are not stored on smart cards however.

If an application wants to install certificates on a smart card then the
application would use that PKCS#11 module directly (or through an
library such as Gcr). An example of this is the gcr-viewer tool which
can import certificates and keys to any PKCS#11 module.

This all needs a bit of work to get configured on your system. It uses
p11-kit [1] for configuration. I can help you with tips either here on
the mailing list or on #keyring at gimpnet IRC.

>>> 2) set up the specified pkcs11 module library as a "GnomeKeyring
>>> backend" so all the generated/added keys and certificated will be stored
>>> using this external library.
>>
>> Sounds interesting. But I'm interested in the goal and use case you're
>> trying to accomplish here.
> 
> Well, the idea is to store all the available security information not on
> a local disk but on a smart card. We have two ways of doing this:
> 
> 1) configure all the applications (pam, ssh, gnupg, etc.) separately for
> using the selected pkcs11 library. This is the well-known but complex
> way, and there are some issues of using gnome-keyring in this case.

Actually p11-kit solves the configuration problem. Just need to
integrate it further into the default installs of apps.

Cheers,

Stef

[1] http://p11-glue.freedesktop.org/p11-kit.html

Follow-Ups:
- Re: gnome-keyring PKCS#11 library as a GnomeKeyring backend
  - From: Alexey Fedoseev

References:
- gnome-keyring PKCS#11 library as a GnomeKeyring backend
  - From: Alexey Fedoseev
- Re: gnome-keyring PKCS#11 library as a GnomeKeyring backend
  - From: Stef Walter
- Re: gnome-keyring PKCS#11 library as a GnomeKeyring backend
  - From: Alexey Fedoseev

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]