Robert Marcano's personal website
Get Firefox Use OpenOffice.org hacker emblem

Desktop Certificate Database Library proposal

From Robert Marcano's personal website

Warning
This is a preliminar realease of this document in order to be discussed by the developers community. Please note that english is not my native language

Contents

[edit] Problem to Solve

This document propose a solution to the need of a central repository for Public-key cryptography keys and certificates. Currently, each application that requires access to a certificate or key provides it own storage, making the use of them difficult to the user; for example an email client requires a certificate/key to check the authenticity of a message, to send a private encrypted email or to decrypt another one, and at the same time a web application could use the same certificate/key to grant access to the user

The desktop platform needs to provide an easy to use API to store and retrieve those certificates and keys, and this library must do it, but it will not include implementations of cryptography algorithms neither of security standard like SSL and S/MIME

[edit] Requirements

The requirements for the library are:

  • Read a configuration source (that could be a file), the entries found must instruct to the library which certificates storage mechanisms are accesible to the application, for example LDAP, shared files on readonly locations, file(s) on the user HOME directory. This can be acomplished with the use of dynamic loaded modules or plugins
  • Using a C based API the library must allow the application to search certificates based on different criterias
  • Provide a framework to define multiple kind of certificates and keys, using an object interface or abstract class, this could allow the application developer to access X.509 Certificates and PGP keys with the same library
  • Add new certificates
  • A certificate must be associated with an id that must be different for each certificate stored
  • Retrieve and remove the certificate based on the id
  • Must be able to change the trust setting of the certificates, for example to allow a CA certificate to be used to validate email certificates
  • Must be able to do client side caching of the certificates, with a configurable timeout interval

Desktop platforms can provide wrappers to the library in order to make easy the development of applications using the developer favorite tools. They can provide a control panel applet that using the API must allow the user to:

  • Manage certificates found on the storage mechanisms located on the user HOME directory, if allowed by the sysadmin
  • Locate certificates on the shared storage mechanisms
  • This GUI must not show all the certificates available because there is no guarantees that the amount of the certificates is manageable by the user. For example an LDAP plugin can be configured to retrieve the public certificates of all the persons that work on a company, in order to be used on signed messages and signature verification
  • If configured by the sysadmin, allow to the user to change the trust setting of a certificate or to disable it for his or her personal use
  • If configured by the sysadmin, allow to the user to add new CA certificates for his or her personal use

[edit] Design

Image:Desktop-certdb-design.png

[edit] GNOME

GNOME can provide a GObjects based API and the following applications can be updated to use it:

[edit] Epiphany

The best path to the implementation found to the moment is based on the fact that Mozilla provides its CA certificates on the shared library named libnssckbi.so that is a readonly PKCS#11 module. The idea is to write a new PKCS#11 module that uses this library API, and if wanted the module libnssckbi.so can be unloaded in order to use only the certificates provided by this library

[edit] Evolution

Evolution 2.x series has an implementation of S/MIME, that requires the access to a personal certificate to sign a message, or the certificate of some sender to verify a received message. For what I have seen of the 1.5 series the certificates are being retrieved from a local file, that the user can choose with a file chooser. With the use of this library, Evolution must be able to show a certificate search window, and internally it must save the selected certificate id for later usage when the message is being signed

[edit] GNU Classpath

Classpath developers or a developer of an additional Java package could use this library in order to implement GNOME specific versions of CertStoreSpi and/or KeyStoreSpi

[edit] Plugins

As explained on the requirements, this library must be able to load plugins in order to know the mechanism used to store and retrieve the certificates and/or keys. There are many options for the inteface requirements of those plugins

  • Simple shared object with custom defined interface
  • Make all plugins based on PKCS#11 modules. This could complicate a little the implementation, but will guarantee to the application developer the access to standard based hardware like Smart Cards (if it provides the required PKCS#11 module). There is an implementation of a PKCS#11 module loader for PAM that could be interesting to study

[edit] Security Considerations

In order to improve the security of the certificates located on the HOME directory, a PKCS#12 file can be used because it provides basic password based encryption of it contents

Retrieved from "http://www.marcanoonline.com/wiki/Desktop_Certificate_Database_Library_proposal"
Valid XHTML 1.0 Transitional and CSS.
Copyright 2003-2006 Robert Marcano. All Rights Reserved
Powered by MediaWiki
Original Design by Book of Styles