Jeff, Just a few questions...
How does this work with Trusted Extensions? Will there be a separate keyring per label? Has this been answered previously in another ARC case? > /usr/lib/gnome-keyring/ \ Volatile (New) > gnome-keyring-pkcs11.so This appears to be a Project Private library as it is hidden underneath /usr/lib/gnome-keyring directory. Is that correct? If so then it should be declared as Project Private. It appears from the document that the default behavior is to have the ssh agent turned off for Solaris. Thus it will use OpenSSH. Is that correct? Thanks, John On Tue, 2008-07-08 at 23:48, Shi-Ying Irene Huang wrote: > Template Version: @(#)sac_nextcase 1.66 04/17/08 SMI > This information is Copyright 2008 Sun Microsystems > 1. Introduction > 1.1. Project/Component Working Name: > gnome-keyring > 1.2. Name of Document Author/Supplier: > Author: Jeff Cai > 1.3 Date of This Document: > 08 July, 2008 > 4. Technical Description > 1. Introduction > 1.1. Project/Component Working Name: > > GNOME Keyring > > 1.2. Name of Document Author/Supplier: > > Author: Jeff Cai > Sponser: Irene Huang > > 1.3. Date of This Document: > > 07/09/2008 > > 1.4. Name of Major Document Customer(s)/Consumer(s): > > 1.4.1. The PAC or CPT you expect to review your project: > > Solaris PAC > > 1.4.2. The ARC(s) you expect to review your project: > > LSARC > > 1.4.3. The Director/VP who is "Sponsoring" this project: > > Robert O'Dea > > 1.4.4. The name of your business unit: > > Software - OPG > > 1.5. Email Aliases: > 1.5.1. Responsible Manager: harry.lu at sun.com > 1.5.2. Responsible Engineer: jeff.cai at sun.com > 1.5.3. Marketing Manager: > 1.5.4. Interest List: brian.cameron at sun.com > darren.moffat at sun.com > wyllys.ingersoll at sun.com > > 2. Project Summary > 2.1. Project Description: > > GNOME Keyring is a system to store passwords and other sensitive data in a > standardized way across all GNOME applications. > > A keyring stores a collection of encrypted passwords and encrypted > information about those passwords. A user can have multiple keyrings, each > for a different use, but there is a default one, called 'login'. There is > also a special 'session' keyring which is not stored on disk and goes away > when you log out. > > When a user logs into GNOME, the keyrings are locked and a master keyring > password has to be provided in order to unlock each of them. > > This fast-track increments the version of gnome-keyring in Solaris > from 2.20.3 to 2.22.3. > > 4. Technical Description: > > 4.1. Details: > > Compared with the previous version 2.20, following features have been > added: > > - Basic X.509 certificate and key store. > - PKCS#11 module for accessing cerfificates and keys. > - Now includes an SSH agent. > - Automatically activate keyring daemon via DBus if it is not already > running. > - Add a simpler API fro accessing and storing passwords. Older APIs > exist too. Refer to [1] > > 4.2 GNOME Keyring SSH Agent > > GNOME Keyring includes an SSH agent which integrates with the > gnome-keyring > and user login for its passwords. It can also use the main X.509 private > key store. > > GNOME Keyring will set the SSH_AUTH_SOCK environment variable when it > starts up. > > The id_rsa and id_dsa files in ~/.ssh are automatically usable through the > SSH agent without first 'loading' them. Other X.509 private keys marked > with the 'ssh-authentication' purpose are also usable. > > Additional SSH keys can be manually loaded and managed via the ssh-add > command. > > If you use another SSH agent(such as the ssh-agent included with > OpenSSH), > you may want to disable the SSH agent in GNOME Keyring to prevent ssh > from > using it instead of your prefered SSH agent. You can set > /apps/gnome-keyring/daemon-components/ssh > gconf key to false. This prevents the SSH component of gnome-keyring from > starting up when the user logs in. > > The default GNOME start up script (/usr/dt/config/Xsession.jds) will be > changed to NOT start up "under" ssh-agent like it does today and instead > ensure the environment variables for the gnome-keyring version are set > early enough. > > 4.3 GNOME Keyring Certificates and Encryption Keys > > The following paths are searched for encryption keys and certificate > files. > > - ~/.ssh/id_?sa > - ~/.gnome2/keystore/* > > Most standard file formats for keys and certificates are supported: > > Certificates > > * Standard DER encoded certificates. > * Certificates contained in PKCS#7 files. > * Certificates contained in PKCS#8 files. > * PEM encodings of the above. > > Encryption Keys > > * PKCS#1 RSA keys. > * PKCS#8 encrypted RSA and DSA keys. > * DER encoded DSA keys. > * PEM encodings of the above. > * OpenSSL PEM encrypted keys. > > File Encryption and Password Algorithms > > PKCS#5 PBE > > * DES CBC MD2 > * DES CBC MD5 > * DES CBC SHA1 > > PKCS#5 PBE2 > > * DES CBC SHA1 > * 3DES CBC SHA1 > * RC2-128 CBC SHA1 > > PKCS#12 PBE > > * RC4-128 STREAM SHA1 > * 3DES CBC SHA1 > * RC2-128 CBC SHA1 > * RC2-40 CBC SHA1 > > Supported crypto mechanisms include > > - DSA: sign/verify > - RSA: encrypt/decrypt sign/verify > > 4.4 GNOME Keyring Cryptoki (PKCS#11) Support > > PKCS#11 is a standard that lets applications use encryption keys and > certificates on devices like smart cards. gnome-keyring implements this > standard and acts such a device, storing keys and certificates and > making them available for applications to use. > > PKCS#11 deals directly with things like RSA/DSA signing operations, and > certificate attributes. It's a bit low level. Usually one uses PKCS#11 > through a cyrpto library like NSS. [5] > > PKCS#11 in gnome-keyring actually uses the libgcrypt crypto API to perform > the actual crypto operations, nowhere in the keyring/pkcs11 code do they > actually re-implement RSA or DSA key-generation or crypto functionality. > > > 4.5. Interfaces: > Exported Interfaces > Interface Classification Comments > --------------- -------------- > ----------------------- > SUNWgnome-libs Uncommitted Package name > (unchanged) > SUNWgnome-libs-devel Uncommitted Package name > (unchanged) > > /usr/lib/libgnome-keyring.so Volatile Symbolic Link > (unchanged) > /usr/lib/libgnome-keyring.so.0 Volatile SONAME (changed) > > > /us/share/gconf/schemas/ \ Volatile GCONF keys > schemas that > gnome-keyring.schemas defines the > preferences for > the tools (New) > > /usr/bin/gnome-keyring-daemon Volatile (unchanged) > /usr/lib/gnome-keyring-ask Project Private (unchanged) > > /usr/lib/gnome-keyring/ \ Volatile (New) > gnome-keyring-pkcs11.so > > /usr/lib/pkgconfig/ \ > gnome-keyring-1.pc Volatile (unchanged) > /usr/include/gnome-keyring-1/ \ > gnome-keyring.h Volatile (unchanged) > /usr/include/gnome-keyring-1/ \ > gnome-keyring-memory.h Volatile (unchanged) > /usr/include/gnome-keyring-1/ \ > gnome-keyring-result.h Volatile (unchanged) > > ~/.gnome2/keyrings Project Private Location where > keyrings > are stored > > /usr/share/dbus-1/services/ \ Project > org.gnome.keyring.service Private DBus service > file (New) > > org.gnome.keyrings.Daemon Volatile DBus interface > (session > interface) > org.gnome.keyrings.Daemon \ > GetSocketPath Volatile DBus method, > return > socket path. > Imported Interfaces > Interface Classification Comments > --------------- --------------- ----------------------- > GTK+ Committed LSARC/2008/207 > GLib Committed LSARC/2008/207 > D-Bus Volatile LSARC/2006/368 > libhal Volatile PSARC/2005/399 > libgcrypt Volatile LSARC/2008/354 > libtasn1 Volatile LSARC/2008/390 > > 4.6. Packaging & Delivery: > > No new packages are delivered. The two existing packages: > SUNWgnome-libs(base package) - base package for > binaries > SUNWgnome-libs-devel (development package) - develoment package > for > > 4.7 Security Impact: > > Please refer to [7]. > > 4.8 Dependencies: > > libtasn1 is a new imported interface. gnome-keyring makes use of > libtasn1 to > parse X509 certificate and general certificate. > > 5. References > [1] New API storing passwords: > http://live.gnome.org/GnomeKeyring/StoringPasswords > [2] Homepage: > http://live.gnome.org/GnomeKeyring > [3] API document: http://library.gnome.org/devel/gnome-keyring/stable/ > [4] GNOME 2.14 ARC: LSARC/2006/202/ > [5] Configure other applications to use gnome-keyring certificates > and keys: > http://live.gnome.org/GnomeKeyring/ApplicationSetup > [6] PCKS#11: http://live.gnome.org/GnomeKeyring/Cryptoki > [7] GNOME 2.14 security questionnaire: > > http://sac.sfbay/LSARC/2006/202/updated.materials-3/security-questionnaire.txt > > > 6. Resources and Schedule > 6.4. Steering Committee requested information > 6.4.1. Consolidation C-team Name: > Desktop > 6.5. ARC review type: FastTrack > 6.6. ARC Exposure: open >
