Re: gnome-keyring PKCS#11 library as a GnomeKeyring backend



Stef,

thank you very much for the hint!

But I can't find how p11-kit is connected with the gnome-keyring as a
storing-all-secrets-in-one-place tool.

Well, I know how particular applications can be configured with pkcs11
libraries. But I found that the main idea of gnome-keyring is joining
all these configurations in the single place.

I'm really interested in such integration using a pkcs11 library. If you
have any manuals or the first steps -- please let me know. If this
feature wasn't implemented I would like to write this code.

16.04.2012 21:05, Stef Walter wrote:
> On 2012-04-16 15:30, Alexey Fedoseev wrote:
>>>> Right now I have two ideas:
>>>> 1) add one more pksc11 keyring storage based on the specified external
>>>> pkcs11 module (e.g. particular smartcard module)
>>>
>>> Do you mean storing passwords on a smart card?
>>
>> I mean storing and generating keys and certificates on a smart card that
>> supports this functionality (through the pkcs#11 interface). This could
>> be nice hardening option for the gnome-keyring.
> 
> Right. I've been working on that. The Seahorse key manager can now do
> this for any PKCS#11 compatible smart card with a few caveats. Are you
> interested in trying it out?
> 
> Gnome Keyring can also store keys and certificates (prototype, not
> completely finished). It installs a PKCS#11 module for this purpose.
> These keys and certificates are not stored on smart cards however.
> 
> If an application wants to install certificates on a smart card then the
> application would use that PKCS#11 module directly (or through an
> library such as Gcr). An example of this is the gcr-viewer tool which
> can import certificates and keys to any PKCS#11 module.
> 
> This all needs a bit of work to get configured on your system. It uses
> p11-kit [1] for configuration. I can help you with tips either here on
> the mailing list or on #keyring at gimpnet IRC.
> 
>>>> 2) set up the specified pkcs11 module library as a "GnomeKeyring
>>>> backend" so all the generated/added keys and certificated will be stored
>>>> using this external library.
>>>
>>> Sounds interesting. But I'm interested in the goal and use case you're
>>> trying to accomplish here.
>>
>> Well, the idea is to store all the available security information not on
>> a local disk but on a smart card. We have two ways of doing this:
>>
>> 1) configure all the applications (pam, ssh, gnupg, etc.) separately for
>> using the selected pkcs11 library. This is the well-known but complex
>> way, and there are some issues of using gnome-keyring in this case.
> 
> Actually p11-kit solves the configuration problem. Just need to
> integrate it further into the default installs of apps.
> 
> Cheers,
> 
> Stef
> 
> [1] http://p11-glue.freedesktop.org/p11-kit.html

-- 
Alexey Fedoseev
Lead Software Engineer | WWPass Corporation
115184, Moscow, B. Tatarskaya St. 42, 6th floor
+7 495 663 15 24

Attachment: signature.asc
Description: OpenPGP digital signature



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]