On Wed, 2008-07-16 at 12:11 +0300, Tambet Ingo wrote: > On Tue, Jul 15, 2008 at 7:27 PM, David Smith <[EMAIL PROTECTED]> wrote: > > Dan, how set are you on using NSS? I believe this job is better fit for > > just supporting PKCS#11 in NM and making nm-applet use gnome-keyring's > > PKCS#11 interface by default. Using just PKCS#11 is a much lighter > > dependency and far simpler design. Also, using NSS in NM would require > > it to be integrated in the supplicant, but wpasupplicant already > > supports PKCS#11. > > I'm very excited about these patches and I definitely would like to > see it finished (the applet part). Much better to have it now rather > than ideas how to do it differently later. Plus, NSS backend for > gnome-keyring is in their todo list.
The NSS bits were mainly a hand-wavy future thing. The only thing we use NSS for right now is parsing and decoding the certificates and private keys, and passing that information to wpa_supplicant which then feeds the binary data down to openssl, which actually does the work. I'd have to write an NSS backend for wpa_supplicant (just like there's an openssl backend) to fully support NSS, and then in this case the applet would just pass down the tokens/pointers to the certificates in the NSS cert database. Basically, it's a _very_ good thing to store all the certificates and keys in one place, to have the supplicant/openswan read all necessary certificates from the same place, and not to have to have certs scattered all over your drive. Just tell the applet what the pointer to the certificate in whatever database (NSS or otherwise) is, and hand that off to the thing that actually needs it. Then I wouldn't have to care about parsing certs and keys manually and shoving big blobs of binary data through D-Bus. At the moment, any of that is going to be a ways off, and thus I'm fine with a sane PKCS#11 implementation in NM and the applet. I just haven't had the time quite yet to go review those patches. Dan _______________________________________________ NetworkManager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
