Hello Mark,
gsso, at its core, is a system for storing user credentials securely
(see below for what 'securely' means), and an API for performing
operations on them through plugins.
Such plugins can perform online authentication using those credentials
(this is what our OAuth and SASL plugins do), but they can also perform
entirely offline operations - we have a simple 'password' plugin that
simply returns the password stored in secure storage back to the
application, and we also have plans for a x.509 plugin that would handle
operations for X.509 certificates, without exposing the related keys to
the requesting application. It's also possible to write additional
plugins of course.
'Secure storage' means two things:
1) the storage for the database with credentials is handled by storage
manager plugins (which is a different kind of plugins than above). At
the moment we have a default plugin which is using classic Unix
permissions to restrict access to the database files to gsso only, and a
Tizen-specific plugin, which is using ecryptfs to additionally provide
encryption for the database files. It's also possible to write
additional plugins of this kind which can use other security mechanisms
provided by platforms.
2) Each credential has an access control list attached to it, and
applications access to the operations on the credential is restricted by
gsso accordingly. Once again, actual access check is performed by
plugins (this is the third kind of plugins, the 'access control' one).
There is a default plugin that is using binary paths of the apps, and a
Tizen-specific plugin that is using SMACK labels.
So, in summary, yes, I believe that gsso is the 'secure storage manager'
you're looking for, and has enough flexibility to work the way you want.
Perhaps you could describe your main use cases?
Regards,
Alex
On 02/04/2014 11:05 AM, Mark De Roussier wrote:
Hi Alexander,
I am not really familiar with gSSO. On the face of it, gSSO itself is
not what I mean. It's focused on credentials, and I had put it in my
'authentication tool' category. I think I'm interested in something
more general. But it's interesting that gSSO is using eCryptfs. That
answers a bunch of questions I had :). So if eCryptfs works with
Tizen, then ( as a sweeping generalization ) it should be possible
for something ( a 'user profile manager', or 'secure storage
manager', or something like that ) to maintain differently keyed
storage areas corresponding to different user profiles.
Thanks, Mark
MARK DE ROUSSIER Team Lead
Symphony Teleca Sunley House, 46 Jewry Street, Winchester, Hampshire,
SO23 8RY Phone: +441962891219, Fax: +441962868867
mailto:[email protected]
http://www.symphonyteleca.com
Teleca Limited, a company registered in England & Wales, registration
number 2773878, registered office at Sunley House, 46 Jewry Street,
Winchester, Hampshire SO23 8RY. VAT registration number GB 674 6583
90
Follow what's going on at Symphony Teleca's blog on
http://www.symphonyteleca.com/blog. Please consider the environment
before you print.
Notice to recipient: This e-mail (including any attachments) is meant
for the intended recipient only, may contain confidential and
proprietary information, and is protected by law. If you received
this e-mail in error, please immediately notify the sender of the
error by return e-mail, delete this communication and any
attachments, and shred any printouts. Unauthorized review, use,
dissemination, distribution, copying or taking of any action based on
this communication is strictly prohibited.
-----Original Message----- From: Alexander Kanavin
[mailto:[email protected]] Sent: 03 February 2014 17:08 To:
[email protected]; Mark De Roussier Subject: Re: Tizen security :
data-at-rest encryption ?
On 02/03/2014 06:19 PM, Mark De Roussier wrote:
So, what approach does Tizen have to data-at-rest security ?
Hello Mark,
is gSSO what you're looking for? https://01.org/gsso/overview
It's using eCryptfs to store user credentials on disk, and has an
access-controlled API for apps to make use of them.
Regards, Alex
_______________________________________________
IVI mailing list
[email protected]
https://lists.tizen.org/listinfo/ivi
