Gluing together Desktop Crypto

An effort to use and promote PKCS#11 as glue between crypto libraries and security applications on the open source desktop. Some of this work (the PKCS#11 Foundation components such as p11-kit) has been sponsored by the NLnet Foundation

• Main Project: PKCS#11 Glue

• Status of GNOME Integration into various applications

• GNOME Feature for 3.2 (unfinished)

There are three parts to the integration.

1. Lookup keys and certificates in common places

• Keys and certificates are looked up in PKCS#11

• Libraries and apps use p11-kit to figure out which PKCS#11 modules to load.

• Two ways to use p11-kit:
  • Via the p11-kit-proxy.so module, any app that supports PKCS#11 can use this (examples: firefox, thunderbird, openvpn, NSS)
  • Via p11-kit library directly (examples: glib, gnome-keyring, gnutls)

2. Trust Assertions

Trust Assertions are used to make consistent and predictable trust decisions between applications. Used for things like certificate anchors, and or pinned certificates.

• These trust assertions are stored in PKCS#11 modules.
• Can use libgcr to lookup and/or create these trust assertions.

• GnomeKeyring has compatibility so that NSS can use trust assertions.

3. Use PKCS#11 URIs

When apps need to refer about a given certificate or key, they use PKCS#11 URIs. This URI can be stored in configs or passed between apps.