[Authentication] Secret Storage API specification project
Stef Walter
stef-list at memberwebs.com
Fri Jul 10 14:16:27 PDT 2009
Anders Rundgren wrote:
> Hi Michael et al,
> This is quite interesting.
> You might want to know about another effort in this direction:
> http://android-keystore-v2.webpki.org
>
> Unfortunately they seem to be as different as is technically possible :-(
Heh. Yes, that's true, this API is about secrets storage. It allows
applications to store and retrieve simple secrets as simple a way as
possible.
As you correctly guessed, in gnome-keyring this will very likely be
layered on top of a PKCS#11 component, and also be accessible via
PKCS#11 (plus some extensions). However the secrets API is a high level
API that doesn't need to be associated with or implemented via PKCS#11.
> One of the differences is that I don't build on PKCS #11 since it does not
> support container attestations:
PKCS#11 is full of warts, but the strong point going for it is that it
is more widely implemented than other 'low level' 'security' APIs.
While PKCS#11 does not contain support for security container
attestations, I don't understand why the two are mutually exclusive.
> Another difference is that I'm mainly concerned about the external API
> and associated protocols supporting it, while the implementation may
> be something like a GNOME Keyring but it could also be hardware.
>
> The somewhat hubris-like goals with the external API and protocol is
> setting a de-facto standard for mobile phones and a new range of
> smart cards.
I'm very interested in your API, and where it's specified. It'd be nice
for gnome-keyring to be as compatible as possible. Not sure if we would
implement another security API at this point... But I'd really like to
read your API specs so that I can learn from it, and keep gnome-keyring
flexible enough WRT to the concepts contained therein.
> Anyway, I wish us both good luck! We need it :-)
Yup, all the best!
Stef Walter
More information about the Authentication
mailing list