[Telepathy] Certificate verification in empathy
Stef Walter
stefw at collabora.co.uk
Mon Dec 6 19:23:41 PST 2010
Hi all!
I've been working on updating the certificate verification support in
empathy [1]. The work isn't completely finished and tested yet (I've run
into some build issues with gtk+3), but I figured I'd give a heads up on
these commits.
The work is on the trust-assertions branch [2] on my empathy
git.collabora.co.uk repository.
This stuff is based on the trust assertion research I've been working on
[3].
The following has changed:
* Storing certificate exceptions for when a user clicks
"Remember this choice for future connections"
- These certificate exceptions are per host, and not added
as a certificate authority as before.
* Looking up certificate anchors (trust roots) via PKCS#11
- Any certificate authority present there can be used.
* Building of certificate chains by looking up certificates
via PKCS#11.
- If the server doesn't send a complete certificate chain
then the certificates are loaded locally (if present).
empathy uses libgcr for these lookups, which uses PKCS#11 to lookup the
various trust anchors and certificate exceptions in PKCS#11 modules. The
relevant PKCS#11 modules are provided by gnome-keyring.
gnome-keyring trust-store [4] branch is necessary to make all this work.
What's missing:
* Need to do the various PKCS#11 lookups asynchronously so as
not to block UI being displayed by empathy-auth-client.
* Lookup untrusted assertions for CRLs.
Interested in any comments or insight.
Cheers,
Stef
[1] https://bugzilla.gnome.org/show_bug.cgi?id=634489
[2]
http://git.collabora.co.uk/?p=user/stefw/empathy.git;a=shortlog;h=refs/heads/trust-assertions
[3] http://people.collabora.co.uk/~stefw/trust-assertions.html
[4] http://git.gnome.org/browse/gnome-keyring/log/?h=trust-store
More information about the telepathy
mailing list