?Two Certificate Managers? (Re: regarding KPF)

George Staikos staikos at kde.org
Fri Apr 19 12:25:54 BST 2002 

On April 19, 2002 06:47, Marc Mutz wrote:

> - Wasn't it that the KControl certmanager wasn't existing at the time
> Aegypten started off?

  No, it was there.  It has since been further developed of course.  I sent 
many emails to the developers and mailing lists about this whent he project 
started.

> OpenSSL:
> - The Aegypten stuff bases on gnupg (newpg). It now does s/mime, too.
>   GnuPG has been extended to work with smartcards and uses app-independed
> GUI dialogs for e.g. PINentry. So sharing the database isn't impossible,
> they're just not contracted to do it.

   Well if it's going to be in KDE you would think that KDE facilities would 
be used.  KMessageBox was used.  QString was used.  The KDE crypto facilities 
were not.

  And yes, we're working on a smartcard facility for KDE also.  There will be 
yet another inconsistency.

> - The Aegypten team has been contracted to develop _free_ software. OpenSSL
>   isn't free.

   This argument grows very old.  If you don't like putting the original 
author's name in your application, write a replacement.  I wish we didn't 
have to use OpenSSL but nothing else was available and usable at the time.  
If you want to complain about something, how about that breaks BC every 
release, is poorly documented and difficult to use, especially from C++?  
Regardless, GnuPG does not (or at least did not previously) provide fully 
functional SSL support.  OpenSSL provides SSL2/3, TLS, S/MIME, most of the 
PKCS##, and all the lowlevel functions.

> - OpenSSL has some issues that make it difficult or impossible to write
> S/MIME apps that are actually interoperable with braindead MS-Windows based
> products. This is hearsay from CeBIT discussions. Werner can surely give
> you details if needed.

   I highly doubt that it is impossible.  Maybe it is more difficult than a 
simple function call, but well, openssl is difficult in many ways.  That's 
one of the two reasons why I made libkssl (now part of libkio).   
Unfortunately we have to use OpenSSL because it is the only package that is 
(or was) complete enough.

> Sphinx (somewhat lame excuse, I know):
> - The Sphinx list of requirements has some weird items that would have led
> to endless discussions on whether we actually want them. I don't allege
> anyone of the Aegypten team of thinking like that, though. But with the
> tight schedule, it was probably easier to write a new certificate manager
> that was designed to be Sphinx compliant from the beginning than to extend
> the existing one to work with mulitple backends _and_ be Sphinx-compliant.
> Let them do their stuff and later merge the two, if possible.

   Yes, now you're calling this thing a hack instead of a proper 
implementation.

> And the last point:
> - Very honestly, I trust Werner much, much more to do security-related
>   software right than _any_ KDE developer and I'm glad that a hardcore-GNU
>   like him actually works for improving _KDE_ (although he's being paid to
> do it) and bringing KDE to the desktops of German government personell. The
> more so when it comes to S/MIME, with all the unclear standards and
> contradicting implementations.

   I don't see this as an improvement to KDE.  Perhaps to KMail itself.  I see 
this as a redundancy introduced into KDE.

> The last point is nothing against any person in particular. It's just that
> in security you have to earn your reputation. Werner has been around this
> business for at least 10 years (?) now and I don't see anyone in the KDE
> community with even comparable reputation in cryptography.

   I think Dr. S. Henson and the rest of the OpenSSL developers certainly have 
a reputation too.  That is a very poor argument.  I don't write crypto code 
for KSSL.  I just connect the calls together.  And even then, I have been 
doing this since 1997, where I started doing it at the largest computer 
company in the world. 

   Perhaps someone wants to take over and rewrite (and maintain) KSSL to use 
GnuPG, and use the Aegypten database to store certificates, policies, etc?  
It sure would save me a lot of [often boring and tedious] work.  Otherwise I 
would rather not see it become an inconsistency.

-- 

George Staikos

More information about the kde-core-devel mailing list