Re: gnome-keyring [PATCH 4/9] ui: add PKCS#11 token sidebar



On Tue, 2016-12-13 at 19:45 +0000, David Woodhouse wrote:
On Tue, 2016-12-13 at 19:20 +0100, Lubomir Rintel wrote:
Modeled after GTK Places sidebar. For internal use now.

We toyed with this. It really sucks that we can't just use the
existing
sidebar and add our PKCS#11 tokens to it.

Stef's proposal at GUADEC was to turn the existing 'click here to
open
a (file)chooser' widget into a drop-down. You click it and instead of
just popping up what's *currently* a file chooser (but which we want
to
extend to cover PKCS#11 too), it gives a drop-down with all the
PKCS#11
tokens you can choose from, plus "Select from file...".

If you choose a token, you get a PKCS#11 chooser which has *just*
that
token (no sidebar). And if you choose 'Select from file...' you
obviously get the file chooser.

There are some details to be worked out regarding certs from one
location and keys from another, but I think that approach can work
and
can keep things relatively simple.

That actually sounds like a rather good idea to me.

One thing I could not figure out is whether we'd need one or two
chooser buttons. We typically need a cert and a privkey, but with
PKCS#11 URIs or PKCS#12 archives they could be easily described with a
single string (be it the URI or a filename). However often people use
certificate and key in separate files (and potentially objects with
different CKA_ID/CKA_LABEL in a token?).

Also, I'd really just like to get rid of certificates in plain files
altogether, because they can't play well with SELinux and just let the
user import their keys into a softtoken (GNOME Keyring?) in a sane way
instead. Not completely convinced if that's a feasible idea though.

Lubo


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]