Re: GNOME Keyring and Seahorse Goals and Vision

[Stef Walter <stefw collabora co uk>]

On 2010-10-11 00:46, Martin Paljak wrote:
>> This can be added as an implementation once the actual
>> specifications and PKCS#11 extensions for trust assertions are
>> agreed on.
> 
> Why extend PKCS#11 for this?

I've taken forever to respond to this email. In part, because I've
thought a whole lot about what you've said, and that's needed time.

As I've done more and more research, I agree with you that perhaps
PKCS#11 is not the absolute best place to do this stuff. I'd love to be
part of more discussion on this topic at FOSDEM (OpenSC Devroom) to be
part of the other ways to solve this.

That said, extending PKCS#11 is a good (although not absolute best) way
to right now solve most of the pressing needs we have on the linux
Desktop in this area. And I'm working toward a solid standard which
gnome-keyring will use.

But again, I'm not locked into this approach.

> If you say that the NSS turst bits are from 10 years ago, then the
> trust thing has already gone standard - CKA_TRUSTED (since PKCS#11
> v2.11).

A single bit is a far cry from what we need to represent things like
certificate exceptions, CRLs and trust anchors. Not to mention prefs
that come from the OS/Administrator and those that come from the user
and overrides. I'm barely touching on these issues here, but I'll post
more about this on this mailing list shortly.

'Trust' is a very overloaded and ambiguous word, and I cringe every time
I use it (which means I've been doing a lot of cringing lately, heh).

> So instead of trying to figure out the extension for conveying the
> "trust bit" over PKCS#11, very good certificate management
> capabilities should be built into Seahorse and made possible to
> expose it to applications in convenient ways. That means integration
> with OpenSSL, PKCS#11, NSS, whatever else.

Yes, that's one of the central goals of our project [1].

Cheers,

Stef

[1] http://live.gnome.org/GnomeKeyring/Goals