Gluing together Desktop Crypto

An effort to use and promote PKCS#11 as glue between crypto libraries and security applications on the open source desktop. Some of this work (the PKCS#11 Foundation components such as p11-kit) has been sponsored by the NLnet Foundation

There are three parts to the integration.

1. Lookup keys and certificates in common places

  • Keys and certificates are looked up in PKCS#11
  • Libraries and apps use p11-kit to figure out which PKCS#11 modules to load.

  • Two ways to use p11-kit:
    • Via the module, any app that supports PKCS#11 can use this (examples: firefox, thunderbird, openvpn, NSS)
    • Via p11-kit library directly (examples: glib, gnome-keyring, gnutls)

2. Trust Assertions

Trust Assertions are used to make consistent and predictable trust decisions between applications. Used for things like certificate anchors, and or pinned certificates.

  • These trust assertions are stored in PKCS#11 modules.
  • Can use libgcr to lookup and/or create these trust assertions.
  • GnomeKeyring has compatibility so that NSS can use trust assertions.

3. Use PKCS#11 URIs

When apps need to refer about a given certificate or key, they use PKCS#11 URIs. This URI can be stored in configs or passed between apps.

Projects/CryptoGlue (last edited 2013-12-02 20:31:45 by WilliamJonMcCann)