Tuesday, May 25, 2010

GPG Agent in Gnome Keyring

One of the goals for this next version 2.32 of Gnome Keyring is including a GPG Agent. So far we've had a GPG Agent as part of GNOME in seahorse-plugins, but it's been somewhat limited in what can be implemented.

Integrating it into Gnome Keyring is cleaner, and it's the first step towards implementing things like smart card support in the GPG Agent, although that may be a while in coming.

The beginnings of this work are on the gpg-agent branch of the gnome-keyring repository.

Friday, May 14, 2010

Talk at GUADEC on Integration of Certificate and Key Storage


I'm attending GUADEC

I'll be attending GUADEC for the first time. Not only that but I'll be giving a talk. I'm a bit nervous, but excited!


The talk is about integrating various applications using keys and certificates to use a common key storage.

Currently each application puts their certificates and private keys in distinct locations, which make it hard for the user, but also for application developers, since new applications integrating crypto need to work out a whole raft of things such as secure key storage.
  • Currently when you need to use a certificate with network-manager and a wireless connection, you have to specify three files in a fragile formats.
  • When using certificates with evolution or firefox or thunderbird each application stores them in their own key storage.
  • SSH Keys (which are in fact the same sort as the above) are stored in ~/.ssh
It's a little bit like each application not sharing a filesystem, but having their own part of the disk to write their documents to. With GPG we have all applications sharing the same keyring (per-user obviously), but so far this hasn't been the case with X.509 certificates and keys.

Because of the development in gnome-keyring around a standard called PKCS#11 it's now possible to integrate the key storage between applications, and in our talk we'll discuss how to do this in a secure, transparent and configurable way.

This also means it'll be easier for applications to gain support for keys, and to have smart card related features and other stuff like that in the future.

Friday, May 7, 2010

Gnome Keyring 2.30

Gnome as a whole is ramping up to version 3.0, and there have been some big changes in Gnome Keyring.

The new Secret Service DBus API is used to store passwords. We took care to change this out in a backwards compatible way, so applications previously using Gnome Keyring needed almost no changes.

Using DBus is more modern and all that, but the best part about this is that the KDE guys are working on implementing the same API. In fact we designed it together.

Part of Postgresql 9.0...

I've contributed to another open source project, Postgresql. My first contribution made it into version 9.0.

I worked on the samenet and samehost host based access control feature, which lets you grant database access to hosts on the physical subnets that the postgresql server is attached to.

Previously many postgresql deployments for clients used to have 0.0.0.0/0 in the pg_hba.conf file, because more limited access controls were too brittle and would inevitably fall over when the client renumbered their network.