[Telepathy] Certificate verification in empathy
stefw at collabora.co.uk
Mon Dec 6 19:23:41 PST 2010
I've been working on updating the certificate verification support in
empathy . The work isn't completely finished and tested yet (I've run
into some build issues with gtk+3), but I figured I'd give a heads up on
The work is on the trust-assertions branch  on my empathy
This stuff is based on the trust assertion research I've been working on
The following has changed:
* Storing certificate exceptions for when a user clicks
"Remember this choice for future connections"
- These certificate exceptions are per host, and not added
as a certificate authority as before.
* Looking up certificate anchors (trust roots) via PKCS#11
- Any certificate authority present there can be used.
* Building of certificate chains by looking up certificates
- If the server doesn't send a complete certificate chain
then the certificates are loaded locally (if present).
empathy uses libgcr for these lookups, which uses PKCS#11 to lookup the
various trust anchors and certificate exceptions in PKCS#11 modules. The
relevant PKCS#11 modules are provided by gnome-keyring.
gnome-keyring trust-store  branch is necessary to make all this work.
* Need to do the various PKCS#11 lookups asynchronously so as
not to block UI being displayed by empathy-auth-client.
* Lookup untrusted assertions for CRLs.
Interested in any comments or insight.
More information about the telepathy