KDE and smartcard support

Alon Bar-Lev alon.barlev at gmail.com
Wed May 23 11:06:42 BST 2007

On 5/23/07, Thiago Macieira <thiago at kde.org> wrote:
> >user=application author
> >This is unique approach :)
> We're talking about a library here. Who else would be the user?

I tend to think that features visible to users, such as the use of
smartcard, are not internal developers issue. But never mind... this
is not the issue here.

> >If this what you expected, I will be glad to explain more... If this
> >is not, I will be grateful if you explain what you expect, it is very
> >important to me we all understand what proper smartcard integration
> >is.
> Yes, that's what I expected.
> Now what George said: given those requirements, how can we design an API
> in KDE? The backend implementation is just a minor detail at this point.

I don't know KDE internals as you guys...
I can make educated guess.

1. We have some kind of low level cryptography library, let's call
this CRYTPO for now, so we don't argue whether it is QCA or anything
2. We have TLS/SSL socket implementation that uses CRYTPO in order to
do private key operations, we will call this CRYPTO_TLS
3. We have S/MIME implementation that uses CRYPTO in order to do
private key operations, we will call this CRYPTO_SMIME.

We need to implement the following into KDE:
1. Modify the KControl crypto section, to allow managing the CRYPTO
attributes, including managing hardware devices.
2. Introduce KDE dialogs for "token prompt" and "passphrase prompt" to
be used as callbacks of CRYPTO, when token is needed or when
passphrase is needed (software and hardware).
3. Modify the TLS/SSL provider in KDE to use the CRYPTO_TLS and the
callbacks from (2), this will enable any TLS/SSL application to
benefit from CRYPTO features, without any modification.
4. Modify KWallet implementation so that it use CRYPTO in order to
encrypt/decrypt sensitive data. This will enable all application that
store sensitive data to automatically be smartcard enabled.
5. Write kdm greeter that uses CRYPTO and handle smartcard logon, this
is optional dynamic loaded component.
6. Scan all KDE code base and migrate any OpenSSL/GnuTLS/whatever
crypto code into CRYPTO.
7. Approach kmail to use CRYPTO_SMIME, so that gnupg**5 processes will
not be required for S/MIME configuration.

What do you think?

Best Regards,
Alon Bar-Lev.

More information about the kde-core-devel mailing list