Tuesday, 2018-07-17

dcalisteHello chriadam and rainemak, sorry for the late connection.07:06
dcalisteMoreover, I'll have to quit today at 9:30.07:06
chriadamdcaliste: hi, no problem07:08
chriadamI hope you had a good week07:09
rainemakhi dcaliste & chriadam07:09
dcalisteI'm fine thank you. As said last week, S/MIME signature verification is working out of the box with the current gpgme framework.07:09
chriadamwe're still fighting with release issues for 2.2.1, so I haven't made any progress regarding things you've raised last week etc :-(07:09
dcalisteI've tested signing process this week.07:09
chriadambut that's great news07:09
dcalisteYou may have notice some discussions with lbt and abranson on #mer.07:10
chriadamI did not see those yet actually07:10
dcalisteIt requires a new package: dirmngr to handle certificates.07:10
dcalisteI've packaged it, see https://git.merproject.org/dcaliste/dirmngr07:11
chriadamin the future, I think we want certificates to be stored in / managed by the secrets daemon itself, I believe, although we haven't started looking into certificate management in any detail yet07:11
dcalistelbt helped me yesterday to finilising the packaging.07:11
dcalisteI'm waiting for it to enter Mer officially.07:11
dcalisteI agree that secret should handle certificates, but anyway gnupg will have to speak to something that speaks its language to handle certificates.07:12
dcalisteCurrently it's simple to compile dirmngr.07:12
dcalisteWith this addition, CLI S/MIME signature is working.07:13
dcalisteI nneed to check now that it's working from the email app also.07:13
chriadamI'm a bit worried about adding yet another service to the base OS07:13
rainemakdepending how the dirmngr will be used... maybe we should try to build a facade to the secrets through which we could handle certs... aiming to start with an existing solution and wrapping it => just an idea07:14
chriadame.g. increased memory usage, potential duplication of functionality07:14
chriadambut that might be an idea: secrets API for cert management could just use dirmngr plugin for actual provision etc07:14
dcalisteWell it's not a daemon, it's called on demand by gnupg process.07:14
chriadamah, good07:14
rainemakright... ah, so need to be there regardless07:15
rainemakat the same time if it good for us... maybe worth adding it as a plugin to the secrets07:15
dcalisterainemak, I agree. But I need to better understand first what it is doing actually and how to see what kind of API we can propose in secret for this.07:16
dcalisteSo, all in all, signing and verification work more or less for PGP and S/MIME.07:17
chriadamthat's exceptionally good news, thank you for doing that investigation and work07:17
dcalisterainemak, did you have time to look to provide me access to account-settings to add the UI to activate these?07:18
chriadamin August most people from Finland will be back at work, so I expect the ball will get "properly" rolling to get all these pieces more polished and merged+tagged then07:18
dcalistechriadam: ok fine with me. I'll be in and off during the two summer months, but I can follow.07:19
dcalistechriadam: about the signature process, at one moment, you'll have to test it with your customer, because it is working with my workflow, but one will have to test that it's working for some else also ;)07:20
chriadamyes, of course07:20
chriadamalthough it's worth noting that Certificate API (and features) has not been a priority (yet) from their POV as far as we have discussed recently07:21
chriadamso not sure how much feedback / testing we will get in the near future in that regard07:21
chriadambut will definitely raise the topic during our discussions07:21
dcalisteYes, certificates from my point of view is a one shot: you add the root certificate of your institution once and then you can forget about it up to the expiry date.07:22
chriadamah right07:22
chriadamuntil/unless it's revoked?  I guess that's what dirmngr handles?07:22
dcalistedirmangr connect to the net to know revocation list and invalidate certificate locally from my understanding.07:23
rainemakdcaliste, sorry... forgot that. will do it after this meeting07:23
dcalisterainemak, no problem, I played with dirmngr anyway last week.07:24
rainemakdcaliste, I have "yellow" note-it under my nose :)07:24
dcalisterainemak ;)07:24
chriadamwe have _some_ handling of certs in Sailfish OS, but not sure precisely what that means.  It may just be "a bundle of certs live in some directory under /etc or something" not sure...07:24
chriadamanyway, that will be interesting to follow up on in the future07:25
dcalistechriadam: that's my understanding and that these certificates are used by Mozilla chain of trust, but sadly GnuPG is using another implementation...07:25
dcalisteAFAIK in fact.07:25
dcalisteI may be wrong, not yet up to date on this topic.07:25
dcalisteI think I will investigate more how gnupg is handling certificates, listing them, importing them...07:26
chriadamthat would be very helpful!07:26
dcalisteThis will help designing an API when required.07:26
chriadamvery much so07:26
chriadamI expect that activity to take off in earnest around November-ish, but that's a guess07:26
dcalisteI will open an issue in Github where to write down my understanding of the matter.07:27
dcalisteAbout the discussion on Github with Venemo remark, I may agree that my separation UID <-> collection and subkeys <-> keys may not be that smart after all.07:28
chriadamI didn't follow that discussion07:28
chriadamI think the main issue is that we didn't allow for subkeys in our API07:28
dcalisteI is dividing well the keys in the UI, but it makes the list quite long and difficult to read.07:29
dcalisteAbout subkeys, it's fine with the current API, subkey in GnuPG is a key in an existing collection, which fits well in fact.07:29
chriadamhaving separate collections is a required feature, but maybe the way that's exposed in the UI is a bit clunky because it's assumed that there are few collections but many keys in each collection07:29
dcalisteSo I'm wondering if it's a proper logical division (UID == collection) or a rendering issue...07:30
dcalisteI'm wondering if in GnuPG I don't expose any collection and put all keys together with a filter on the UID...07:30
dcalisteIt's something that is easy to change anyway.07:31
dcalisteAnd won't have much impact since the keys are actually stored by GnuPG anyway.07:31
dcalisteI'm sorry I need to interrupt our discussion, it's time for me to bring my child to the doctor.07:31
chriadamno problem at all07:31
chriadamthank you for your time07:31
dcalisteWe can continue next week on this topic!07:32
chriadamI hope your child is feeling better soon!07:32
chriadamyes.  have a great week!07:32
dcalisteIs fine, it's a simple rendez-vous.07:32
chriadamah, good07:32
dcalisteHave a nice week chriadam and rainemak.07:32
rainemakdcaliste, thanks! you too07:32
*** frinring_ is now known as frinring10:13
*** Nokiu_ is now known as Nokius12:04
*** feodoran is now known as Guest9478818:41
*** feodoran_ is now known as feodoran18:42
*** feodoran is now known as Guest3171523:58
*** feodoran_ is now known as feodoran23:58

Generated by irclog2html.py 2.17.1 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!