[jds-review] remove ssh, pkcs11, & public key certs from gnome-keyring 2.21.x
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Wed Jan 2 07:33:52 PST 2008
Darren J Moffat wrote:
> Alan Coopersmith wrote:
>
>> Have you asked the security community if these would be useful things to
>> support or not?
>>
>> -Alan Coopersmith- alan.coopersmith at sun.com
>> Sun Microsystems, Inc. - X Window System Engineering
>>
>> Jeff Cai wrote:
>>
>>> Since currently there is no needs for these features which are relating
>>> to security, I've decided to disable them in gnome-keyring 2.21. These
>>> include:
>>> 1. ssh support
>>> 2. public key certificates support (general certificate and x.509
>>> certificate)
>>> 3. pkcs11 support (It is API interface standard for accessing security
>>> devices such as smart card, usb disk etc.)
>>>
>>> A patch is attached and please review. I'll also ask community to review
>>> it soon.
>>>
>
> Who says there is no need for them ? How did you determine this ? Do
> you know why that support is in there ?
>
All very good questions.
> The PKCS#11 support was actually contributed to gnome-keyring by a Sun
> engineer and it was done to make the Solaris 10 US Export approval
> easier while also providing more functionality.
>
PKCS#11 support is a feature we very much want to keep in the
gnome-keyring for
the reasons Darren mentions above and also because it enables the
keyring to take
advantage of HW keystores if available.
-Wyllys
> The Solaris security team is also considering taking on the future
> ownership/maintenence of gnome-keyring for Solaris (it would likely
> remain in the JDS consolidation though). I'll work with Jeff/Ghee etc
> offline on this as it isn't relevant to OpenSolaris.
>
> SSH support is something we very much want to have as well.
>
>
More information about the jds-review
mailing list