?Two Certificate Managers? (Re: regarding KPF)

Nikolas Zimmermann wildfox at kde.org
Fri Apr 19 16:47:19 BST 2002


On Friday 19 April 2002 15:19, Marc Mutz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
Hi,

>
> On Friday 19 April 2002 13:25, George Staikos wrote:
> > On April 19, 2002 06:47, Marc Mutz wrote:
>
> <snip>
>
> > > OpenSSL:
> > > - The Aegypten stuff bases on gnupg (newpg). It now does s/mime, too.
> > >   GnuPG has been extended to work with smartcards and uses
> > > app-independed GUI dialogs for e.g. PINentry. So sharing the database
> > > isn't impossible, they're just not contracted to do it.
> >
> >    Well if it's going to be in KDE you would think that KDE facilities
> > would be used.  KMessageBox was used.  QString was used.  The KDE crypto
> > facilities were not.
>
> Well, what's part of KDE makes use of KDE: The LDAP-enabled Addressbook
> uses a KIOSlave, e.g. What's in KMail uses Qt/KDE classes. They even use
> designer's UI format to generate native dialogs for Qt, gtk(?) and
> mutt/console(!). Don't tell me that they don't use KDE facilities.
>
> But the fact is that this is _no_ KDE project. The contract AFAIU is about
> extending GnuPG to do S/MIME, using this in KMail and mutt _and making it
> generic enough so that other mail clients can use it, too_, and adding LDAP
> to the KDE addressbook. Werner will use the extended GnuPG in Sylpheed,
> IIRC.
>
> Of course we KDE people like to point out that the first mailer that has to
> be stuffed with S/MIME support is KMail. We like to see this as a KDE
> project. But it isn't. It is much more than just adding S/MIME to the
> random KDE mailer.
>
> It is, however the accelarator that could bring KDE to thousands of offices
> in Germany. Since without Sphinx compatibility, it will be hard for a
> desktop to get on official desks in Germany.
>
> >   And yes, we're working on a smartcard facility for KDE also.  There
> > will be yet another inconsistency.
>
> No. They're not working on a smartcard facility for KDE. They're working on
> a smartcard facility for _GnuPG_. That they have the back to make it
> generic enough so that it can be used elsewhere even though they have a
> tight schedule and could have easily done their own thing is something that
> should be appreciated. The KDE solution instead is just that: a KDE
> solution.
>
> > > - The Aegypten team has been contracted to develop _free_ software.
> > > OpenSSL isn't free.
> >
> >    This argument grows very old.  If you don't like putting the original
> > author's name in your application, write a replacement.
>
> The BSI follows the FSF's definition of free software and they're the
> people that pay for Aegypten. They demand that the product they pay for is
> free software (everyone let this sentence sink in, please) and that's it.
> If it has to be free software, it can't use OpenSSL. Point. Nothing to
> argue about.
>
> And yes, Werner _has_ written a replacement. And yes, with luck (and
> external help maybe), we'll see this as libgcrypt soon. Hopefully you can
> then use this as a replacement for openSSL.
>
> Again, this project has managed to use the contrating to deliver something
> that is of use to the whole fs/oss community, not KDE alone.
>
> > > Sphinx (somewhat lame excuse, I know):
> > > - The Sphinx list of requirements has some weird items that would have
> > > led to endless discussions on whether we actually want them. I don't
> > > allege anyone of the Aegypten team of thinking like that, though. But
> > > with the tight schedule, it was probably easier to write a new
> > > certificate manager that was designed to be Sphinx compliant from the
> > > beginning than to extend the existing one to work with mulitple
> > > backends _and_ be Sphinx-compliant. Let them do their stuff and later
> > > merge the two, if possible.
> >
> >    Yes, now you're calling this thing a hack instead of a proper
> > implementation.
>
> If a bunch of senior software engineers, paid to work four hours a day each
> (orsomething like that) on KMail/Aegypten do a certmanager, it's surely no
> hack. It may be designed to be a temporary solution, but I wouldn't call it
> a hack (and I didn't!).
>
> > > And the last point:
> > > - Very honestly, I trust Werner much, much more to do security-related
> > >   software right than _any_ KDE developer and I'm glad that a
> > > hardcore-GNU like him actually works for improving _KDE_ (although he's
> > > being paid to do it) and bringing KDE to the desktops of German
> > > government personell. The more so when it comes to S/MIME, with all the
> > > unclear standards and contradicting implementations.
> >
> >    I don't see this as an improvement to KDE.  Perhaps to KMail itself. 
> > I see this as a redundancy introduced into KDE.
>
> I guess you couldn't care less about what desktops the German government
> uses. But hey, this is _my_ country. And I'm kind of proud that they choose
> to give KDE a chance on the desktop. If you talk to the right people there,
> it's obvious that they _want_ to get to the point that they can use OSS
> even on the desktop. And personally, I see the Aegypten project as a
> groundbreaking thing. Not because it involves KMail, and I happen to be one
> of the current developers of KMail, but because it is the very first time
> that our Government has _contracted_ _free software companies_ to bring a
> software that they themselves want to use to a state where they _can_ use
> it. And it is a _big_ step forward for OSS in general and KDE in particular
> - not feature-wise, but concerning the public reception of OSS and KDE.
>
> > > The last point is nothing against any person in particular. It's just
> > > that in security you have to earn your reputation. Werner has been
> > > around this business for at least 10 years (?) now and I don't see
> > > anyone in the KDE community with even comparable reputation in
> > > cryptography.
> >
> >    I think Dr. S. Henson and the rest of the OpenSSL developers certainly
> > have a reputation too.
>
> That's not the point. I detailed above why OpenSSL isn't an option. And
> hey, this project might make all the difference between being forced to
> work with OpenSSL or having alternatives.
>
> >    Perhaps someone wants to take over and rewrite (and maintain) KSSL to
> > use GnuPG, and use the Aegypten database to store certificates, policies,
> > etc? It sure would save me a lot of [often boring and tedious] work.
> > Otherwise I would rather not see it become an inconsistency.
>
> We had three addressbooks in KDE2. I think we can survive two certificate
> managers until a brave soul is found that merges them.

so you say we should _redo_ such errors? I don't think it's quite good
to argue that way. I'd love to see a situation, where kde is being helped.
And having 2 certificate managers is definately not the way to go for ... KDE.

Bye
 Bye 
  Niko

>
> Marc
>
> - --
> Marc Mutz <mutz at kde.org>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE8wBli3oWD+L2/6DgRAqypAKCASpd0z72eknFuF29EwNc70uBTuQCgro0Z
> dJiYkutg0Z/qc7ii50fwrO0=
> =Xmbx
> -----END PGP SIGNATURE-----

-- 
Nikolas Zimmermann
wildfox at kde.org




More information about the kde-core-devel mailing list