Gluing together Desktop Crypto
An effort to use and promote PKCS#11 as glue between crypto libraries and security applications on the open source desktop. Some of this work (the PKCS#11 Foundation components such as p11-kit) has been sponsored by the NLnet Foundation
Main Project: PKCS#11 Glue
Status of GNOME Integration into various applications
GNOME Feature for 3.2 (unfinished)
There are three parts to the integration.
1. Lookup keys and certificates in common places
- Keys and certificates are looked up in PKCS#11
Libraries and apps use p11-kit to figure out which PKCS#11 modules to load.
- Two ways to use p11-kit:
- Via the p11-kit-proxy.so module, any app that supports PKCS#11 can use this (examples: firefox, thunderbird, openvpn, NSS)
- Via p11-kit library directly (examples: glib, gnome-keyring, gnutls)
2. Trust Assertions
Trust Assertions are used to make consistent and predictable trust decisions between applications. Used for things like certificate anchors, and or pinned certificates.
- These trust assertions are stored in PKCS#11 modules.
- Can use libgcr to lookup and/or create these trust assertions.
GnomeKeyring has compatibility so that NSS can use trust assertions.
3. Use PKCS#11 URIs
When apps need to refer about a given certificate or key, they use PKCS#11 URIs. This URI can be stored in configs or passed between apps.