Re: Simple connect feature for xl2tpd

From: Dan Williams <dcbw redhat com>
To: Tambet Ingo <tambet gmail com>
Cc: networkmanager-list gnome org
Subject: Re: Simple connect feature for xl2tpd
Date: Wed, 16 Jul 2008 12:38:36 -0400

On Wed, 2008-07-16 at 12:11 +0300, Tambet Ingo wrote:
> On Tue, Jul 15, 2008 at 7:27 PM, David Smith <dds google com> wrote:
> > Dan, how set are you on using NSS? I believe this job is better fit for
> > just supporting PKCS#11 in NM and making nm-applet use gnome-keyring's
> > PKCS#11 interface by default. Using just PKCS#11 is a much lighter
> > dependency and far simpler design. Also, using NSS in NM would require
> > it to be integrated in the supplicant, but wpasupplicant already
> > supports PKCS#11.
> 
> I'm very excited about these patches and I definitely would like to
> see it finished (the applet part). Much better to have it now rather
> than ideas how to do it differently later. Plus, NSS backend for
> gnome-keyring is in their todo list.

The NSS bits were mainly a hand-wavy future thing.  The only thing we
use NSS for right now is parsing and decoding the certificates and
private keys, and passing that information to wpa_supplicant which then
feeds the binary data down to openssl, which actually does the work.
I'd have to write an NSS backend for wpa_supplicant (just like there's
an openssl backend) to fully support NSS, and then in this case the
applet would just pass down the tokens/pointers to the certificates in
the NSS cert database.

Basically, it's a _very_ good thing to store all the certificates and
keys in one place, to have the supplicant/openswan read all necessary
certificates from the same place, and not to have to have certs
scattered all over your drive.  Just tell the applet what the pointer to
the certificate in whatever database (NSS or otherwise) is, and hand
that off to the thing that actually needs it.  Then I wouldn't have to
care about parsing certs and keys manually and shoving big blobs of
binary data through D-Bus.

At the moment, any of that is going to be a ways off, and thus I'm fine
with a sane PKCS#11 implementation in NM and the applet.  I just haven't
had the time quite yet to go review those patches.

Dan

References:
- Re: Simple connect feature for xl2tpd
  - From: Dan Williams
- Re: Simple connect feature for xl2tpd
  - From: Paul Wouters
- Re: Simple connect feature for xl2tpd
  - From: Dan Williams
- Re: Simple connect feature for xl2tpd
  - From: David Smith
- Re: Simple connect feature for xl2tpd
  - From: Tambet Ingo

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]