[Telepathy] Secure communications with Telepathy
Emanuele Aina
em at nerd.ocracy.org
Wed Nov 28 02:53:14 PST 2007
mikhail.zabaluev at nokia.com investigò:
>> This solution has a number of problems:
>> - How should I pass the private key to the cm? Is it a problem to pass
>> it on dbus (it could be easily sniffed using dbus-monitor)?
>
> If somebody can attach to your session bus, they probably can just as
> well read your private keys.
Usually keys are stored in password-encrypted files but we need to send
the key unencrypted over dbus.
If this is a problem we could use a private D-Bus connection or a local
socket but the latter has some headaches attached as we've seen in tubes
and file-transfers.
>> - What to do if I don't have access to the private key (e.g. smart card
>> readers)?
>> - In the case of a connection to a server I need to pause the
>> connection
>> process until the client has verified the server's
>> certificate, to avoid
>> sending the password to an untrusted server.
>> - We need a ListSupportedCertificates() method to know the supported
>> certificate types: X.509, PGP, etc.
>
> Is it some interface not currently in the spec?
There is no interface for certificates/keys in the spec, we are
investigating the possible ways of adding what's missing.
>> Any better idea? Suggestions?
>
> We really need some generic security interface on channels. I think
> that in order to be flexible and cover the use cases already known (e.g.
> SIP request authentication, end-to-end encryption), it should unify
> text-based authentication and certificate exchange mechanisms.
We are open to suggestions! :)
--
Buongiorno.
Complimenti per l'ottima scelta.
More information about the Telepathy
mailing list