[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-pim
Subject: Re: [Kde-pim] Own CA and kgpgcertmanager
From: Bernhard Reiter <bernhard () intevation ! de>
Date: 2003-07-29 14:11:58
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[ Coming back to the more practical part of the discussion.
That I had to postpone yesterday. ]
On Monday 28 July 2003 20:39, George Staikos wrote:
> On Monday 28 July 2003 14:15, Bernhard Reiter wrote:
> > On Monday 28 July 2003 15:24, George Staikos wrote:
> > > On Monday 28 July 2003 05:33, Bernhard Reiter wrote:
> > Do you want to make gpg use KConfig for its public keys?
> > I always thought KConfig was geared towards KDE...
>
> That would be a great start.
It might be a good next step.
As far as I understand would you believe it would be an improvement
if gpg could use the public keys in KConfig as an additional key source?
We might need to check out in how far those two respositories
can be kept in sync. For gnupg we can't help to have an external key
database, because some users will always have one.
As KDE's system also exists, people also will have key boxes there.
So first step would be to work out a procedure to get certs from KSSLD to gpgsm.
> Actually you can't use KConfig directly
> though, due to synchronisation issues. We had to create KSSLD to
> serialise. If you look at KSSL you will see there are interfaces there
> which make this transparent for you. (KSSLCertificateHome in particular.)
> You can even try it with DCOP directly. dcop kded kssld will show you what
> is there. I'm guessing that PKCS#7 was not implemented in kssld yet
> though.
For the first steps the caUseForEMail() ones would be most interesting.
> KConfig is very much a generic system though. Nothing stops you from
> parsing this with a perl script or anything else you like. Synchronization
> is important though.
>
> > > Well I don't see the current one being developed in any sort of
> > > proper form right now.
> >
> > What is wrong with the activity on gnupg-devel or gpa-dev?
>
> They can develop all they want! Good for them... we can even have a
> plugin for both. The gpg plugin -should- use the KDE database, but it
> doesn't have to.
There are two gpg functionalities. OpenPGP and Sphinx/(S/MIME).
OpenPGP uses its own database, Sphinx also does.
The former so far has not been a problem for you. Only the latter is.
It should be acceptable to keep the working sphinx situation
and then slowly couple the two functionalities of KSSL and gpgsm
to reduce redundency in the future.
> If it doesn't, it should be a separate "addon" that users
> can install. It should not be a part of a default KDE setup.
> I don't know
> who became king and decided that bypassing the KDE security subsystem in
> the KDE distribution was acceptable behaviour.
I don't know ether, but there are several reasons that speak for it.
One is that the gpgsm subsystem might be more compatible
with non-KDE systems and also secure.
> > > > AFAIK it does not support SPHINX (yet).
> > > > The components are harder to security audit,
> > > > being less atomic.
> > >
> > > Which components are? The KDE code? OpenSSL?
> >
> > Yes, both.
>
> Well I'm sorry, but read the code before you comment on it.
Maybe I did and have a different opinion...
E.g. I don't think that openssl is really nice code.
For the KDE code in total I believe that some parts link KDE libraries
and huge libraries are always hard to security audit.
> It's very
> easy to read and understand KSSL.* It's even fully documented now!
> OpenSSL really isn't so hard to understand either, despite being horribly
> documented and having an incredibly difficult API. KSSL hides everything
> in OpenSSL anyways. (*note: there are ugliness issues with some parts of
> KSSL, and maybe they'll even be fixed in KDE4, but they're really trivial)
>
> > So not even good reasons could convince you?
> > You essentially say would never implement something better.
> > This sounds rather sad. :(
>
> I have no time or motivation to redo something that already works.
The sphinx part works, too.
["smime.p7s" (application/pkcs7-signature)]
_______________________________________________
kde-pim mailing list
kde-pim@mail.kde.org
http://mail.kde.org/mailman/listinfo/kde-pim
kde-pim home page at http://pim.kde.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic