[gnutls-help] ANNOUNCE: Qt Certificate Addon

Richard Moore rich at kde.org
Thu Dec 20 16:14:19 CET 2012 

On 19 December 2012 16:49, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> On Sun, Dec 16, 2012 at 10:18 PM, Richard Moore <rich at kde.org> wrote:
>
>> What is it?
>> ===========
>> Qt Certificate Addon is a framework for creating X.509 certificates using
>> Qt. Unlike the read-only support for certificates that's included in the SSL
>> module this API allows new certificates, keys and signing requests to be
>> created.
>
> Hello Richard,
>  The API looks reasonable. I don't know where this is intended to be
> used, but it may be useful to have some examples of common usage in
> the documentation (e.g. how to generate a certificate for a web
> server).

At the moment, I'm not 100% sure how people will use it. I had
requests from several Qt developers for an API that offered these
facilities, but I'm not really clear on what they want to do with it.
Personally, I'll be using it to develop some tools to manage an
internal CA we use at work.

I totally agree with you about the examples, I've got a couple of
basic ones in the source tree, but they aren't marked up yet so they
can be inlined into the docs. I'm hoping to put together a few
recipe-style examples for common tasks. I covered some examples of how
to use custom CAs in my dev-days talk this year, and I want this code
to let people generate the certs required to use them.

>
> I'd also miss key generation on smart card, but this may not be a
> popular use-case for a first release. As I see the API it can easily
> accommodate that in the future.

Yes, it's totally feasible to add this in the future. At the moment I
have no access to the relevant hardware so I'm not really in a
position to look at it. I know at least one developer who's
contributed to Qt recently has an interest in this area, so it might
well be something that gets worked on.

>
>>   * Key usage
>>   * Extended key usage
>
> These two proved to be hard to use in the internet. On a survey of
> certificates in web servers those values seem to be randomly selected
> based on each admin's understanding of the meaning of the values.

I've found the specs for these to be rather confusing (including which
should be critical etc.). The CAB forum baseline requirements seems to
be the clearest document these days, and has good coverage of the use
for web servers at least in appendix B.

>
>> The code is capable of creating certificates, keys and signing requests with
>> support for the most common types of certificate extension. The documentation
>> is at a reasonable level, there are examples and a moderate level of unit
>> tests. I've only tested the code on Linux, but apart from the RandomGenerator
>> class it should work fine on all platforms.
>
> Why not use gnutls' gnutls_rnd()?

Nice, I didn't know that existed. The code has been changed to use it.

Thank you very much for the feedback, it's much appreciated.

Rich.

>
> regards,
> Nikos

More information about the Gnutls-help mailing list