WARNING: gnome-keyring ??
help-gnutls-phil at spodhuis.org
Sat Nov 10 00:50:57 CET 2012
On 2012-11-08 at 10:41 +0100, Nikos Mavrogiannopoulos wrote:
> Well a system daemon may use a hardware security module (HSM) to speed
> up, e.g., RSA and protect its keys, so it still makes sense there
> (smart cards and HSMs are both accessed via the PKCS #11 API).
True. In this case, the use of the same binary as the daemon and the
interrogator, so that it _could_ be called by users, combined with
initialising TLS support at start-up, is the issue.
> The approach seems correct to disable PKCS #11. I should also document
> it if it is not already there. However, were the requests to disable
> PKCS #11 due to the messages being printed by gnome-keyring, or
> because of some other reason?
In practice, most MTAs today will not be keeping keys in HSMs simply
because they're too low value, without a means to verify host identity
when connecting on MX. I hope that the DANE work and Tony Finch's draft
for how to use that with mail/MX will change things.
> If it is the former could the gnome-keyring module be more silent on
> failures and print messages only if some debugging environment
> variable is present?
Ideally. However, mail server operators often keep up-to-date on the
mail server software, so that they can react to security issues and get
new features, while keeping the base OS unchanged. It will take years
for the current gnome keyring modules to drop out of systems so that we
can even consider switching the default.
More information about the Gnutls-help