We have moved to a new Sailfish OS Forum. Please start new discussions there.
25

Certificate managment for Sailfish.

asked 2015-01-19 13:42:06 +0200

ApB gravatar image

updated 2015-01-19 13:55:08 +0200

eric gravatar image

@bijjal mentioned here that they are in the process of implementing certificate management for SFOS and the needed UI.

Apart from WPA enterprise what else is coming with it.

edit retag flag offensive close delete

1 Answer

Sort by » oldest newest most voted
5

answered 2015-01-20 06:17:02 +0200

jbrooks gravatar image

At the moment, we're working on moving all CA management into p11-kit and unifying that across the various TLS libraries (we have OpenSSL, GnuTLS, and two versions of NSS to work with).

That's just a first step; we need to do more research on building proper certificate management that we can tie into the UI. What particular things should we be focused on?

edit flag offensive delete publish link more

Comments

6

The N9 had a manager as well, but it simply wouldn't allow to remove or at least disable one of the standard CA certs. Result: when a root certificate got compromised, you couldn't protect yourself by marking the cert as untrusted. Remember DigiNotar?

So, let the user have the last say in which certificates to trust.

Fuzzillogic ( 2015-01-20 08:40:09 +0200 )edit

I was asking about features -GUI- that have something to do with certificates to be exact. Ie @bijjal mentioned WPA enterprice and what came to my mind was vpn which also is missing from the UI and IMO is something also needed in order for jolla to be more of a tool.

ApB ( 2015-01-20 14:07:38 +0200 )edit
1

In addition to the already mentioned enabling and disabling built-in certificates and this another thread about the same thing.

  • certificate details checking (so that it would be possible for example to specify what hostname should be in the certificate's CA field), important for example for WPA2 certificate validation

  • certificate pinning or something like this

  • also when proper certificate management and possibly certificate pinning is in place all 'accept any certificate' settings should be removed completely from UI and applications to prevent clueless users selecting them

Karri Huhtanen ( 2015-02-24 00:04:43 +0200 )edit
1

Installing additional CA and personal certificates should also be possible via WWW browser and/or email client for example by utilising mime types to identify certificate and certificate packages such as PKCS12.

From each CA certificate it should be possible to select what's that CA certificate is capable of certifying. For example not all WWW server certifying certificates should be allowed to certify RADIUS servers for WPA Enterprise authentication or email / instant messaging servers.

Karri Huhtanen ( 2015-02-24 00:25:16 +0200 )edit

It's quite important to have scopes: Which CAs or selfsigned certs are for Wireless (RADIUS), which are for Mail client, which are for OpenVPN, which are for IPSec and which is general purpose CA (web).

Maybe for each app, either there is a scoped CA store or if there is no scoped CA store andthe app uses the general store? Pinning also sounds nice.

cray ( 2015-04-21 17:52:11 +0200 )edit
Login/Signup to Answer

Question tools

Follow
8 followers

subscribe to rss feed

Stats

Asked: 2015-01-19 13:42:06 +0200

Seen: 786 times

Last updated: Jan 20 '15

Related questions

certificate details in Browser

Do not automatically accept all SSL certificates [released]

certificate manager [duplicate]

accepting (self-signed) certificates

VPN client [released]

Word prediction should be always turned off when entering passwords in Android apps [released]

Password manager for Sailfish [answered]

Android VKB saves and suggests passwords in plaintext

\SDCARD\ folder which Android apps use should be visible when you plug your phone into PC [released]

Why saved WLAN networks disappear and re-appear [released]

Copyright © Jolla Ltd. 2013-2019. All rights reserved.
about | faq | help | privacy policy | terms of service | give feedback
Powered by Askbot version 0.7.49