Two Certificate Managers?

George Staikos staikos at kde.org
Fri Apr 19 22:25:21 BST 2002


On April 19, 2002 09:19, Marc Mutz wrote:

> But the fact is that this is _no_ KDE project. The contract AFAIU is about
> extending GnuPG to do S/MIME, using this in KMail and mutt _and making it
> generic enough so that other mail clients can use it, too_, and adding LDAP
> to the KDE addressbook. Werner will use the extended GnuPG in Sylpheed,
> IIRC.
>
> Of course we KDE people like to point out that the first mailer that has to
> be stuffed with S/MIME support is KMail. We like to see this as a KDE
> project. But it isn't. It is much more than just adding S/MIME to the
> random KDE mailer.

    Well as Waldo said, if this isn't a KDE project then why is it in KDE?  
Third party packages can be added to KDE systems, and they can do whatever 
they want I guess.

> It is, however the accelarator that could bring KDE to thousands of offices
> in Germany. Since without Sphinx compatibility, it will be hard for a
> desktop to get on official desks in Germany.

     Well why not provide a proper solution for the first impression these 
people will have?  The first impression is the most important one.   For 
quite some time I have wanted to bring Linux to my provincial government as a 
cost saving measure.  I certainly would not want to show them such 
inconsistencies.

> >   And yes, we're working on a smartcard facility for KDE also.  There
> > will be yet another inconsistency.
>
> No. They're not working on a smartcard facility for KDE. They're working on
> a smartcard facility for _GnuPG_. That they have the back to make it
> generic enough so that it can be used elsewhere even though they have a
> tight schedule and could have easily done their own thing is something that
> should be appreciated. The KDE solution instead is just that: a KDE
> solution.

  That's my point!!  It's not going to use the KDE facility!  In this case, it 
may actually even conflict!  (due to hardware issues and the fact that we 
issue events and link them to actions)

> And yes, Werner _has_ written a replacement. And yes, with luck (and
> external help maybe), we'll see this as libgcrypt soon. Hopefully you can
> then use this as a replacement for openSSL.

   A better library would be great.  I'm not necessarily ever going to change 
KDE to use such a thing though.  I took on this project because no-one else 
would.  In any case, I think a new library has very much maturing to do 
before it can be useful.  Mozilla had problems with incompatibility in the 
crypto layer for a while wherease OpenSSL does not.  This is because OpenSSL 
has a long history of bug fixes in it for incompatible SSL implementations, 
just as you claim S/MIME has.

   I'm not saying that the KDE facilities are ideal or even great.  They are 
what I could manage to do in virtually all of my spare time last year.  
However they do work, and until we have a better solution, that is what must 
be used.

   If this is insufficient, declare KDE to be incapable of properly hosting 
Aegypten, and fix KDE.

> >    Yes, now you're calling this thing a hack instead of a proper
> > implementation.
>
> If a bunch of senior software engineers, paid to work four hours a day each
> (orsomething like that) on KMail/Aegypten do a certmanager, it's surely no
> hack. It may be designed to be a temporary solution, but I wouldn't call it
> a hack (and I didn't!).

   Well it's not using the proper methods when working in a KDE environment.  
Are you saying that it's not a hack because they're "senior software 
engineers"?  or because they were paid to work on it?  

> >    I don't see this as an improvement to KDE.  Perhaps to KMail itself. 
> > I see this as a redundancy introduced into KDE.
>
> I guess you couldn't care less about what desktops the German government
> uses. But hey, this is _my_ country. And I'm kind of proud that they choose
> to give KDE a chance on the desktop. If you talk to the right people there,
> it's obvious that they _want_ to get to the point that they can use OSS
> even on the desktop. And personally, I see the Aegypten project as a
> groundbreaking thing. Not because it involves KMail, and I happen to be one
> of the current developers of KMail, but because it is the very first time
> that our Government has _contracted_ _free software companies_ to bring a
> software that they themselves want to use to a state where they _can_ use
> it. And it is a _big_ step forward for OSS in general and KDE in particular
> - not feature-wise, but concerning the public reception of OSS and KDE.

    As I said above, this is not the way to impress people.  It is 
inconsistent.  One of the things KDE prides itself on is consistency.

   Now what if I have some time to finish working on S/MIME using KSSL 
entirely?  Am I then allowed to integrate this into KMail - a facility that 
uses KDE standard interfaces and facilities?  What happens to this Aegypten 
project.  Surely this will be very confusing to have two different 
implementations of S/MIME.  Possibly even conflicting.  What does the German 
gov't say then?  The code they contracted to have written has a chance of 
being removed.  Or there are two other options - we don't allow a KDE core 
developer to integrate code from the KDE libraries into a KDE CVS application 
in favour of an external non-standard implementation.  Or option 2, we make 
KMail even more inconsistent by having two implementations of the exact same 
code, with different backends for storage.

> > > The last point is nothing against any person in particular. It's just
> > > that in security you have to earn your reputation. Werner has been
> > > around this business for at least 10 years (?) now and I don't see
> > > anyone in the KDE community with even comparable reputation in
> > > cryptography.
> >
> >    I think Dr. S. Henson and the rest of the OpenSSL developers certainly
> > have a reputation too.
>
> That's not the point. I detailed above why OpenSSL isn't an option. And
> hey, this project might make all the difference between being forced to
> work with OpenSSL or having alternatives.

   Well then what was the point?

> >    Perhaps someone wants to take over and rewrite (and maintain) KSSL to
> > use GnuPG, and use the Aegypten database to store certificates, policies,
> > etc? It sure would save me a lot of [often boring and tedious] work.
> > Otherwise I would rather not see it become an inconsistency.
>
> We had three addressbooks in KDE2. I think we can survive two certificate
> managers until a brave soul is found that merges them.

   That kind of thing is not supposed to happen.  I pointed out the 
certificate problem at the beginning of the project.  It didn't have to 
happen. 

-- 

George Staikos





More information about the kde-core-devel mailing list