Re: gnome-keyring [PATCH 4/9] ui: add PKCS#11 token sidebar

[Lubomir Rintel <lkundrak v3 sk>]

On Tue, 2016-12-13 at 19:45 +0000, David Woodhouse wrote:
> On Tue, 2016-12-13 at 19:20 +0100, Lubomir Rintel wrote:
> > Modeled after GTK Places sidebar. For internal use now.
>
> We toyed with this. It really sucks that we can't just use the
> existing
> sidebar and add our PKCS#11 tokens to it.
>
> Stef's proposal at GUADEC was to turn the existing 'click here to
> open
> a (file)chooser' widget into a drop-down. You click it and instead of
> just popping up what's *currently* a file chooser (but which we want
> to
> extend to cover PKCS#11 too), it gives a drop-down with all the
> PKCS#11
> tokens you can choose from, plus "Select from file...".
>
> If you choose a token, you get a PKCS#11 chooser which has *just*
> that
> token (no sidebar). And if you choose 'Select from file...' you
> obviously get the file chooser.
>
> There are some details to be worked out regarding certs from one
> location and keys from another, but I think that approach can work
> and
> can keep things relatively simple.

That actually sounds like a rather good idea to me.

One thing I could not figure out is whether we'd need one or two
chooser buttons. We typically need a cert and a privkey, but with
PKCS#11 URIs or PKCS#12 archives they could be easily described with a
single string (be it the URI or a filename). However often people use
certificate and key in separate files (and potentially objects with
different CKA_ID/CKA_LABEL in a token?).

Also, I'd really just like to get rid of certificates in plain files
altogether, because they can't play well with SELinux and just let the
user import their keys into a softtoken (GNOME Keyring?) in a sane way
instead. Not completely convinced if that's a feasible idea though.

Lubo