From kde-core-devel  Fri Feb 12 14:20:20 2010
From: Bernhard Reiter <bernhard () intevation ! de>
Date: Fri, 12 Feb 2010 14:20:20 +0000
To: kde-core-devel
Subject: Re: Using system SSL certificates...
Message-Id: <201002121520.23656.bernhard () intevation ! de>
X-MARC-Message: https://marc.info/?l=kde-core-devel&m=126598447826292
MIME-Version: 1
Content-Type: multipart/mixed; boundary="--nextPart1722874.Pcslp0Suzo"

--nextPart1722874.Pcslp0Suzo
Content-Type: text/plain;
  charset="iso-8859-15"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Am Freitag, 29. Januar 2010 22:51:32 schrieb Benjamin Long:
> I wish Firefox used the system certs as well, as
> the only way to add a private CA there is to create an addon that installs
> it. At least Firefox is just web browsing and not mail and other servers.
> Administering it all would be much more of a PITA if KDE couldn't be set =
up
> to use the system certs.
> This is on Debian/Ubuntu, btw.

I agree that KDE should use the system-certs by default - on all systems.

On platform where the user (or KDE) could not interface with the certificat=
e=20
system in order to add some preferences or certs, I agree that it would be=
=20
okay to override the system so some extend. At least it should be possible =
to=20
disable this by the admin.

A well maintained system needs a well maintained root cert bundle.
=46ree Software is already at the disadvantage regarding managing x509=20
certificates. In addition: in order to make a large part of the security in=
=20
the system working, you would need to make checks of certificate revocation=
=20
status mandatory.

> Please, whatever you do make sure that I can add CA's to the system from a
> script. :P

I agree that this is an important requirement.

Two more thoughts on this: Werner Koch - my friend from g10code - brought u=
p=20
the idea that some security would be working better if each leave certifica=
te=20
would be remembered and warned if changed, instead of making the whole chai=
n=20
evaluation work. I tend to like the idea, but implementation of course has =
to=20
be good to actually be useful. With that approach there would be no need fo=
r=20
a root cert bundle (which usually contains some bad root certs and way too=
=20
many to attack).

The GnuPG2 stack comes with an x509 certificate handling backend, including=
=20
revocation handling. The main application is called dirmngr. In the mid ter=
m=20
it would be cool to make use of that at last optionally, but this sounds li=
ke=20
a major effort to do. Kleopatra is an upcoming frontend application for=20
certificates (both OpenPGP and x509). Note that secret keys on smartcards a=
re=20
supported, which could also be interesting for client authentification.

Bernhard
ps.: Please copy me on relevant replies. I am subscribed to kde-core-devel,=
=20
but this is too much to follow for me sometimes.

=2D-=20
Managing Director - Owner: www.intevation.net       (Free Software Company)
Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com.
Intevation GmbH, Osnabr=FCck, DE; Amtsgericht Osnabr=FCck, HRB 18998
Gesch=E4ftsf=FChrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

--nextPart1722874.Pcslp0Suzo
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIIEjCCA/Uw
ggNeoAMCAQICAQUwDQYJKoZIhvcNAQEEBQAwPTELMAkGA1UEBhMCREUxGDAWBgNVBAoMD0ludGV2
YXRpb24gR21iSDEUMBIGA1UEAwwLV3VyemVsIFpTIDMwHhcNMDgwNjE3MTcwMzUzWhcNMTMwNjE3
MTcwMzUzWjA2MQswCQYDVQQGEwJERTEYMBYGA1UECgwPSW50ZXZhdGlvbiBHbWJIMQ0wCwYDVQQD
DARaUyA4MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6M1vSTRLLHb0D9756shQFe0Y
vIPWdxHWI4LddBO4+ekJDSg2CRVAcE5RGFFcI84KdB5DDeZmST+5f1XZVOimLHfGeW8PR4OZBamV
P8JZTAIXgZ4NwZGvuwartkJFHdd8U7Qfhjn6x5h+RZCu2zrfGCRhYAr6jq9yqlq9/L00ZwQO0x6o
+B7k3AH5tlJYRDb73JVbOeyb4sEIinEHevKbdWCKAdpTN13FN90WyD8VryjQXaXKn+MLhvv4cspR
UYZwRxwLNzw018ZuKkZV7GBsP3Jtl8hyDEOJ8ZBw5+b5Soo7WTLo9VhVh71ktZvJAjaySeAP4lJb
tMFXHkzfHsLrrQIDAQABo4IBhjCCAYIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
awYDVR0fBGQwYjBgoF6gXIZabGRhcDovL2NhLmludGV2YXRpb24ub3JnL2NuPVd1cnplbCBaUyAz
LCBvPUludGV2YXRpb24gR21iSCwgYz1ERT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0MB0GA1Ud
DgQWBBTJ1YLz+wht6dg0rTM+5Se7uvgovzBlBgNVHSMEXjBcgBSg1pV9tld6qf8t9ZykEbqfB+8J
z6FBpD8wPTELMAkGA1UEBhMCREUxGDAWBgNVBAoMD0ludGV2YXRpb24gR21iSDEUMBIGA1UEAwwL
V3VyemVsIFpTIDOCAQAwNQYDVR0RBC4wLIEQY2FAaW50ZXZhdGlvbi5kZYYYaHR0cDovL2NhLmlu
dGV2YXRpb24ubmV0MDUGA1UdEgQuMCyBEGNhQGludGV2YXRpb24uZGWGGGh0dHA6Ly9jYS5pbnRl
dmF0aW9uLm5ldDANBgkqhkiG9w0BAQQFAAOBgQA092DPMwq9iX/m1kReGevqp52csW3/+jk2V6tH
Qg0X2x+4Pbbu7pS4wlxv+xduonTFR19Znw1ald2ifpXLnxbWx0XJtOPLModLH5LVtCO19nI94Db9
kpPfC0jW4m87ucV+FR1938o3dVFz22xu5ywVmXWO6ucOOdcaWvoSBr4e1zCCBBUwggL9oAMCAQIC
AQYwDQYJKoZIhvcNAQEEBQAwNjELMAkGA1UEBhMCREUxGDAWBgNVBAoMD0ludGV2YXRpb24gR21i
SDENMAsGA1UEAwwEWlMgODAeFw0wODA2MTkwODQzMjVaFw0xMDA2MTkwODQzMjVaMEExCzAJBgNV
BAYTAkRFMRgwFgYDVQQKEw9JbnRldmF0aW9uIEdtYkgxGDAWBgNVBAMTD0Jlcm5oYXJkIFJlaXRl
cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKbkT9mwkD5imWsqa5nPGNJn9OTlVwEx
29kfyb/Tu9tx329B7DWjrvZdb0EYu7gJr5OTyPLczHBwig3Qv3t8Yax5X86ONLrVWlrysVDMgzE1
68M26JnY0+NO1Uz8QdT28vsziAT9kjC4qlBxlodibIgRc2PaHGo2sbrIGjaPHXJkau7XAHRTtBgo
YSjAZaeGM+cadbhoKlvJpSiuVGU7dv83dZGe5I9I127FcSoPWLvS/p9Pf4+g9SL9dJxhA4gHBr/S
C4Wh6KSPbWi8ZuRRltfiukEPk6LTKxZN3aKLegUKKxZT4u812XGWhKt4DjViUTwR+UmW4kFQix+3
jQ7+lEMCAwEAAaOCASEwggEdMAwGA1UdEwEB/wQCMAAwZAYDVR0fBF0wWzBZoFegVYZTbGRhcDov
L2NhLmludGV2YXRpb24ub3JnL2NuPVpTIDgsIG89SW50ZXZhdGlvbiBHbWJILCBjPURFP2NlcnRp
ZmljYXRlUmV2b2NhdGlvbkxpc3QwHQYDVR0OBBYEFOgCl9kGkFCauj4VjgwIXpdWUv9IMGUGA1Ud
IwReMFyAFMnVgvP7CG3p2DStMz7lJ7u6+Ci/oUGkPzA9MQswCQYDVQQGEwJERTEYMBYGA1UECgwP
SW50ZXZhdGlvbiBHbWJIMRQwEgYDVQQDDAtXdXJ6ZWwgWlMgM4IBBTAhBgNVHREEGjAYgRZiZXJu
aGFyZEBpbnRldmF0aW9uLmRlMA0GCSqGSIb3DQEBBAUAA4IBAQANDnmspPBt2yytzkZsh1d9cQE5
sTZBjz+aKvk6ymsfS4esk1KLa4xSlp1LZG1sneLG6whgZM25fWj0wa7o/fVR+lVqWT3XtTB+ebRx
xAGeub8FM0ZfrHfovrf9pqhTWHp4IU/Kt/wtC+1t+k4X5d1rKK4Y3/NKCfj96KdVnacX7ZghpqBc
rAuQi+dxJ38+BSv0AJwtQWGKnlcKJj6+Cl1UeK2WkKuN0xh03VIGHDM33RYSA9AXU6kahhT4xPBJ
PqULK8d87uVlWIcX1Wk/oxhLneWSamyT/rNoE+PPm8D8OdidbRniN5yaSsqUtfkAprcLfBUJx/1B
XDCdpx0jL0EVMYIB7DCCAegCAQEwOzA2MQswCQYDVQQGEwJERTEYMBYGA1UECgwPSW50ZXZhdGlv
biBHbWJIMQ0wCwYDVQQDDARaUyA4AgEGMAkGBSsOAwIaBQCggYcwGAYJKoZIhvcNAQkDMQsGCSqG
SIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTAwMjEyMTQyMDIxWjAjBgkqhkiG9w0BCQQxFgQU8F29
f6hI3xtqiFtFDUDldoH/2m0wKAYJKoZIhvcNAQkPMRswGTALBglghkgBZQMEAQIwCgYIKoZIhvcN
AwcwDQYJKoZIhvcNAQEBBQAEggEAnUOZNXCSygk09xXer9YE1Jeyzq6D5VT+moy1bj4Ac0OjUwet
x9WJBnkq1eSMuxXLSqgCprflTvjM833La7XygGc4+a9xDGWHTVpV3pFH8sReWJaPZ4nOss/QAANI
CYbbrwJSMDuRUpeH4v3WD43MwWa5M1R7RA5wqTE4fEBdNN5wfCD8ZV97M6NZoJTeOTUDc0oqJBW6
XEVtdr1yJFFx+sKUWYMkCOguMHiBTSiY//7gOwkW/gQnGOX72kzJk2Rb6Jrw77mt8fqdkZeJLET1
brpz6B008k9+elBP27/izskQP9HVcu1HK9anZ4UV2U1EBMe0Ogq1CDGQrXnWSHaN9gAAAAAAAA==

--nextPart1722874.Pcslp0Suzo--