Some bits about SCdaemon

Simon Josefsson simon at josefsson.org
Thu Mar 15 14:20:32 CET 2007


Werner Koch <wk at gnupg.org> writes:

> Get it from:   http://g10code.com/docs/scdaemon-ffg2007.pdf

Hi!  That is quite nice, and got me thinking about making GnuTLS use
certificates/keys from gpgsm/scdaemon/etc.  I looked at the GnuTLS
API, and it is pretty hard coded to get the entire raw private key,
but I think it is possible to fix that.  Not that many files are
affected.

However, I'm not sure I have understood the GnuPG 2.x architecture
fully.  If I were to summarize what GnuTLS need interfaces to do, I
believe it would be:

* Get a list of private keys, some information about it (e.g., RSA?
  DSA? etc) and their related X.509 or OpenPGP cert.  Possibly the
  user should be able to use a fingerprint or similar to indicate a
  particular key or certificate.

* Ask GnuPG 2.x to sign something using a particular key.  I suppose
  some external component, typically gpg-agent or seahorse, would be
  responsible for authorization the request and get the passphrase, I
  don't think that belongs in GnuTLS.  Possibly for servers, having a
  callback via GnuTLS to get the passphrase would be useful.

That seems to be quite simple requirements, but I'm not sure if there
is a single GnuPG 2.x component that can help me here.

If I understand correctly:

Talking to scdaemon only give me smart-card access, but not access to
private keys stored under ~/.gnupg.  I think the ~/.gnupg use-case is
important.  GnuTLS shouldn't work only with smart card keys.

Talking to gpgsm only give me X.509 certificates, and possibly also
signing of them.  (Does gpgsm support raw signing, or only CMS?)

Using gpgme doesn't give me access to raw RSA/DSA signing, only
OpenPGP or CMS (or?).  My knowledge of GPGME is weak, and possibly I
should be using it.  Is there a gpgme server?  I'm not sure GnuTLS
should link to gpgme directly, the child processes, signal handling,
thread issues are problematic, so I would prefer to talk to an
external process using IPC.  Could we create a gpgme-agent?

Help?

/Simon



More information about the Gnupg-devel mailing list