Stef, thank you very much for the hint! But I can't find how p11-kit is connected with the gnome-keyring as a storing-all-secrets-in-one-place tool. Well, I know how particular applications can be configured with pkcs11 libraries. But I found that the main idea of gnome-keyring is joining all these configurations in the single place. I'm really interested in such integration using a pkcs11 library. If you have any manuals or the first steps -- please let me know. If this feature wasn't implemented I would like to write this code. 16.04.2012 21:05, Stef Walter wrote: > On 2012-04-16 15:30, Alexey Fedoseev wrote: >>>> Right now I have two ideas: >>>> 1) add one more pksc11 keyring storage based on the specified external >>>> pkcs11 module (e.g. particular smartcard module) >>> >>> Do you mean storing passwords on a smart card? >> >> I mean storing and generating keys and certificates on a smart card that >> supports this functionality (through the pkcs#11 interface). This could >> be nice hardening option for the gnome-keyring. > > Right. I've been working on that. The Seahorse key manager can now do > this for any PKCS#11 compatible smart card with a few caveats. Are you > interested in trying it out? > > Gnome Keyring can also store keys and certificates (prototype, not > completely finished). It installs a PKCS#11 module for this purpose. > These keys and certificates are not stored on smart cards however. > > If an application wants to install certificates on a smart card then the > application would use that PKCS#11 module directly (or through an > library such as Gcr). An example of this is the gcr-viewer tool which > can import certificates and keys to any PKCS#11 module. > > This all needs a bit of work to get configured on your system. It uses > p11-kit [1] for configuration. I can help you with tips either here on > the mailing list or on #keyring at gimpnet IRC. > >>>> 2) set up the specified pkcs11 module library as a "GnomeKeyring >>>> backend" so all the generated/added keys and certificated will be stored >>>> using this external library. >>> >>> Sounds interesting. But I'm interested in the goal and use case you're >>> trying to accomplish here. >> >> Well, the idea is to store all the available security information not on >> a local disk but on a smart card. We have two ways of doing this: >> >> 1) configure all the applications (pam, ssh, gnupg, etc.) separately for >> using the selected pkcs11 library. This is the well-known but complex >> way, and there are some issues of using gnome-keyring in this case. > > Actually p11-kit solves the configuration problem. Just need to > integrate it further into the default installs of apps. > > Cheers, > > Stef > > [1] http://p11-glue.freedesktop.org/p11-kit.html -- Alexey Fedoseev Lead Software Engineer | WWPass Corporation 115184, Moscow, B. Tatarskaya St. 42, 6th floor +7 495 663 15 24
Attachment:
signature.asc
Description: OpenPGP digital signature