Two Certificate Managers?

George Staikos staikos at kde.org
Sat Apr 20 21:13:03 BST 2002 

On April 20, 2002 04:16, Marc Mutz wrote:

> The Aegypten team and other KDE developers might come up with a more
> consistent solution over time, but the tight schedule of the Aegypten
> project either didn't permit reworking the orginal certmanager or the
> orginal certmanager developers were too silent. Where protest against

   If you're referring to kcmcrypto, I brought this up immediately when the 
project was announced.

> >    Well it's not using the proper methods when working in a KDE
> > environment. Are you saying that it's not a hack because they're "senior
> > software engineers"?  or because they were paid to work on it?
>
> Because I trust Kalle to employ only very good programmers, and because
> their stuff needs to get through the test lab of BSI. Failing these tests
> will be a debacle for both the BSI and possible future investments of the
> German authorities into Free Software. You can believe me: Everyone working
> on Aegytpen is _very_ well aware of this.

   Well it has already failed the tests of the KDE project.

> One could argue that for EMail encryption GnuPG is the de-facto standard on
> Unix. Even Kmail uses it and up to now nobody complained that we called
> pgp/gnupg instead of writing our own control center module for OpenPGP key
> management. Now suddenly, this should change for S/MIME, which is just an
> ugly disguise of OpenPGP with the only difference that S/MIME demands a
> hierarchical trust network where OpenPGP allows a web-of-trust? Wouldn't it
> be logical to put support for it into _GnuPG_? I'd very much believe so.

   Users don't care what is used underneath.  Users use KDE from a black box.  
I never use PGP support in KMail because while it is the best unix 
implementation I have seen, it is still not easy enough to use.  At least the 
last time I tried to use it, I still had to go to the command line to 
manipulate keys.  Whatever, this is still tangential.

> Re: consistency. I guess a cryptography layman'd probably find it puzzling
> to find her email certificates next to HTTP certificates. I don't think my
> girl friend would draw the connection between GnuPG where she has her
> software secret s/mime key for EMail encryption and the random SSL server
> on the internet, just because OpenSSL happens to do both.

    Have you ever even used kcmcrypto?  Do you even understand X.509, PKCS, 
etc?

> I also assert that a s/mime solution based on KSSL/OpenSSL would be just as
> inconsistent for the KMail users, since they'd expect GnuPG to do it, just
> as it does their OpenPGP keys for private communication.

   Hahaha Now that is classic.  You think that a user is going to look at the 
src code for KMail and complain that it uses kdelibs and openssl to do its 
work in the background instead of gnupg?  That's absurd!

> > > >    I think Dr. S. Henson and the rest of the OpenSSL developers
> > > > certainly have a reputation too.
> > >
> > > That's not the point. I detailed above why OpenSSL isn't an option. And
> > > hey, this project might make all the difference between being forced to
> > > work with OpenSSL or having alternatives.
> >
> >    Well then what was the point?
>
> <snip>
>
> The point is that OpenSSL is not an option. So it's pointless to cite the
> reputation of the OpenSSL developers.

   Nice try.  You said that you trust the Aegypten developers over any KDE 
developers for writing crypto code.  I said that the crypto code in KDE is 
not written by KDE developers.  It is written by OpenSSL developers, who have 
at least as good a reputation as anyone else from what I can tell.

> > > We had three addressbooks in KDE2. I think we can survive two
> > > certificate managers until a brave soul is found that merges them.
> >
> >    That kind of thing is not supposed to happen.  I pointed out the
> > certificate problem at the beginning of the project.  It didn't have to
> > happen.
>
> I don't know what happened back then, but as I said, the other conflicts
> were resolved, so I suspect that there was a communication problem.

  No there most certainly was not.


  How about this:  Konqueror will never be usable for purchasing (or obtaining 
via a CA website) an S/MIME certificate to use with KMail.  Konqueror will 
use the KDE certificate facilities, and it will store the certificate in the 
KDE database.  It will never store the certificate in a GPG database as long 
as I am maintainer.  You can write the code to extract it from the KDE 
database if you wish, but at that point, I think you have just proven that 
you can use the KDE database and so there will be no argument left to keep 
the existing code.

  Now how user friendly is that?

More information about the kde-core-devel mailing list