[prev in list] [next in list] [prev in thread] [next in thread]
List: kmail-devel
Subject: Re: startkde script modification question
From: Bernhard Reiter <bernhard () intevation ! de>
Date: 2003-01-16 14:24:08
[Download RAW message or body]
On Thursday 16 January 2003 09:27, Kristian Koehntopp wrote:
> On Wed, Jan 15, 2003 at 10:47:56PM +0100, Ralf Nolden wrote:
> > while working myself (again) through the gpg/aegypten/smime stuff for
> > debian packages (which we at credativ where I work will use for an
> > installation), the thing for using KMail with Aegypten depends much on
> > proper configuration of the system. Now; one critical thing is to make
> > the gpg-agent start up, so
>
> I presume that gpg-agent is a process for the management of gpg
> keys much like ssh-agent is an agent for the management of
> ssh-keys.
Yes it is a bit like this.
It was developed because gpgsm (a brother of gpg for the Ägypten-Project)
can also do S/MIME, thus it also has x509 certs.
> Also, I presume that you have to authenticate yourself against
> gpg-agent with some passphrase to enable gpg-agent to decrypt
> your keys, much like ssh-agent requires a passphrase for ssh key
> decryption.
Yes, though this might also be done by a hardware pinpad in the future.
Additionally the key can reside on external devices, like a smart card.
> I find this to be a rather quaint approach, and would like to
> see more integration here.
Well everybody would see more integration.
The ssl keys/certs used for different purposes also pose a similiar problem.
One design goal of Ägypten and GnuPG is to be secure and modular
with a low number of dependencies. In this light implementing gpg-agent
is the right decision.
(Compare http://www.gnupg.org/aegypten/tech.en.html. )
Further integration still is possible using this architecture in the future, though.
> Have there been thoughts to implement
> some kind of secure storage for key material in KDE, and to
> integrate this secure storage with kdm logins, so that I can
> activate my keys upon login with a SINGLE password if I desire so?
To have any part of the system which links into the huge KDE libraries
have access to the password information will lower security considerably.
Big libraries like the ones in kdebase and kdelibs are hard to security audit.
This is why gpg-agent does not depend on any GUI library
and uses pinentry programs which also try to be as independent as possible.
E.g. pinentry-qt does not link KDE libs.
> This would in my eyes be the architecturally much cleaner
> approach, and a big plus for KDE as an environment.
I disagree that having a key storage mechanism for KDE is a clean architecure.
First it would be needed to integrate ssh-agent, ssl storages like one in mozilla
and gpg-agent into one non-gui depending key-storage app.
Then you could think about GUI frontends for that
and one for QT or KDE in particluar.
Bernhard
[Attachment #3 (application/pgp-signature)]
_______________________________________________
KMail Developers mailing list
kmail@mail.kde.org
http://mail.kde.org/mailman/listinfo/kmail
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic