[Freeipa-devel] GSS-Proxy <-> TPM <-> PKCS#11 (silly idea)

Dmitri Pal dpal at redhat.com
Tue Mar 4 16:47:09 UTC 2014 

On 03/04/2014 11:40 AM, Petr Spacek wrote:
> On 4.3.2014 17:25, Dmitri Pal wrote:
>> On 03/04/2014 11:08 AM, Petr Spacek wrote:
>>> On 16.2.2014 13:22, Simo Sorce wrote:
>>>> On Fri, 2014-02-14 at 14:51 +0100, Petr Spacek wrote:
>>>>> Hello,
>>>>>
>>>>> I have got an silly idea to use TPM (Trusted Platform Module) as 
>>>>> backend for
>>>>> Keytab storage (via GSS-Proxy).
>>>>>
>>>>> GSS-Proxy prevents application from accessing key material, right? So
>>>>> GSS-Proxy could theoretically store keys in TPM and application 
>>>>> wouldn't
>>>>> notice any difference, right?
>>>>>
>>>>> We have libraries for that in Fedora already:
>>>>> https://admin.fedoraproject.org/pkgdb/acls/name/trousers
>>>>>
>>>>>
>>>>> Even sillier idea is to use TPM as a PKCS#11 module:
>>>>> http://trousers.sourceforge.net/pkcs11.html
>>>>>
>>>>> I have no idea what the use case could be ... :-) May be as a 
>>>>> "cache" for
>>>>> PKCS#11 module in SSSD?
>>>>>
>>>>>
>>>>> As I said, it is just a silly idea.
>>>>>
>>>>
>>>> Open a ticket in the GSS-Proxy trac :)
>>>
>>> Is it a good topic for bachelor/master thesis? We are going to send 
>>> list of
>>> topics for next year so we have a chance to add it.
>>>
>>> We are not going to touch this any time soon so it sounds like a 
>>> good idea
>>> to me.
>>>
>> I am not sure. Sounds like a lot of work with questionable results...
>
> I thought that it is purpose of thesis? :-)
>
> Now seriously: We are not doing "research with questionable results" 
> because we don't have time for it - I perfectly understand that.
>
> That is the reason why I'm proposing such crazy ideas for theses.
>
My hesitation is related to the satisfaction from the work being done by 
a student.
We have many topics that we know we need for the project and taking them 
(and implementing right) would be beneficial for the project and 
rewarding for the student.
With this idea I am concerned that since there is no clear drive for it 
to be needed there might not be enough motivation to make is usable for 
the project.
But I might be wrong.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list