John Fischer wrote: > Jeff, > > Just a few questions... > > How does this work with Trusted Extensions? Will there > be a separate keyring per label? Has this been answered > previously in another ARC case? > This issue has not been discussed before. I think Stephen Browne can give more about it. > >> /usr/lib/gnome-keyring/ \ Volatile (New) >> gnome-keyring-pkcs11.so >> > > This appears to be a Project Private library as it is > hidden underneath /usr/lib/gnome-keyring directory. > Is that correct? If so then it should be declared as > Project Private. > As Darren has said, the library can be added by cryptoadm(1M) as a provider, so I'd like it to be a volatile interface. > It appears from the document that the default behavior > is to have the ssh agent turned off for Solaris. Thus > it will use OpenSSH. Is that correct? > Currently, ssh-agent is started in /usr/dt/config/Xsession.jds. Since gnome-session will also start gnome-keyring-daemon with ssh agent enabled, the start script of ssh-agent in Xsession.jds will be removed in case of the confliction.
Jeff > Thanks, > > John > > On Tue, 2008-07-08 at 23:48, Shi-Ying Irene Huang wrote: > >> Template Version: @(#)sac_nextcase 1.66 04/17/08 SMI >> This information is Copyright 2008 Sun Microsystems >> 1. Introduction >> 1.1. Project/Component Working Name: >> gnome-keyring >> 1.2. Name of Document Author/Supplier: >> Author: Jeff Cai >> 1.3 Date of This Document: >> 08 July, 2008 >> 4. Technical Description >> 1. Introduction >> 1.1. Project/Component Working Name: >> >> GNOME Keyring >> >> 1.2. Name of Document Author/Supplier: >> >> Author: Jeff Cai >> Sponser: Irene Huang >> >> 1.3. Date of This Document: >> >> 07/09/2008 >> >> 1.4. Name of Major Document Customer(s)/Consumer(s): >> >> 1.4.1. The PAC or CPT you expect to review your project: >> >> Solaris PAC >> >> 1.4.2. The ARC(s) you expect to review your project: >> >> LSARC >> >> 1.4.3. The Director/VP who is "Sponsoring" this project: >> >> Robert O'Dea >> >> 1.4.4. The name of your business unit: >> >> Software - OPG >> >> 1.5. Email Aliases: >> 1.5.1. Responsible Manager: harry.lu at sun.com >> 1.5.2. Responsible Engineer: jeff.cai at sun.com >> 1.5.3. Marketing Manager: >> 1.5.4. Interest List: brian.cameron at sun.com >> darren.moffat at sun.com >> wyllys.ingersoll at sun.com >> >> 2. Project Summary >> 2.1. Project Description: >> >> GNOME Keyring is a system to store passwords and other sensitive data in >> a >> standardized way across all GNOME applications. >> >> A keyring stores a collection of encrypted passwords and encrypted >> information about those passwords. A user can have multiple keyrings, >> each >> for a different use, but there is a default one, called 'login'. There is >> also a special 'session' keyring which is not stored on disk and goes >> away >> when you log out. >> >> When a user logs into GNOME, the keyrings are locked and a master keyring >> password has to be provided in order to unlock each of them. >> >> This fast-track increments the version of gnome-keyring in Solaris >> from 2.20.3 to 2.22.3. >> >> 4. Technical Description: >> >> 4.1. Details: >> >> Compared with the previous version 2.20, following features have been >> added: >> >> - Basic X.509 certificate and key store. >> - PKCS#11 module for accessing cerfificates and keys. >> - Now includes an SSH agent. >> - Automatically activate keyring daemon via DBus if it is not already >> running. >> - Add a simpler API fro accessing and storing passwords. Older APIs >> exist too. Refer to [1] >> >> 4.2 GNOME Keyring SSH Agent >> >> GNOME Keyring includes an SSH agent which integrates with the >> gnome-keyring >> and user login for its passwords. It can also use the main X.509 private >> key store. >> >> GNOME Keyring will set the SSH_AUTH_SOCK environment variable when it >> starts up. >> >> The id_rsa and id_dsa files in ~/.ssh are automatically usable through >> the >> SSH agent without first 'loading' them. Other X.509 private keys marked >> with the 'ssh-authentication' purpose are also usable. >> >> Additional SSH keys can be manually loaded and managed via the ssh-add >> command. >> >> If you use another SSH agent(such as the ssh-agent included with >> OpenSSH), >> you may want to disable the SSH agent in GNOME Keyring to prevent ssh >> from >> using it instead of your prefered SSH agent. You can set >> /apps/gnome-keyring/daemon-components/ssh >> gconf key to false. This prevents the SSH component of gnome-keyring >> from >> starting up when the user logs in. >> >> The default GNOME start up script (/usr/dt/config/Xsession.jds) will be >> changed to NOT start up "under" ssh-agent like it does today and instead >> ensure the environment variables for the gnome-keyring version are set >> early enough. >> >> 4.3 GNOME Keyring Certificates and Encryption Keys >> >> The following paths are searched for encryption keys and certificate >> files. >> >> - ~/.ssh/id_?sa >> - ~/.gnome2/keystore/* >> >> Most standard file formats for keys and certificates are supported: >> >> Certificates >> >> * Standard DER encoded certificates. >> * Certificates contained in PKCS#7 files. >> * Certificates contained in PKCS#8 files. >> * PEM encodings of the above. >> >> Encryption Keys >> >> * PKCS#1 RSA keys. >> * PKCS#8 encrypted RSA and DSA keys. >> * DER encoded DSA keys. >> * PEM encodings of the above. >> * OpenSSL PEM encrypted keys. >> >> File Encryption and Password Algorithms >> >> PKCS#5 PBE >> >> * DES CBC MD2 >> * DES CBC MD5 >> * DES CBC SHA1 >> >> PKCS#5 PBE2 >> >> * DES CBC SHA1 >> * 3DES CBC SHA1 >> * RC2-128 CBC SHA1 >> >> PKCS#12 PBE >> >> * RC4-128 STREAM SHA1 >> * 3DES CBC SHA1 >> * RC2-128 CBC SHA1 >> * RC2-40 CBC SHA1 >> >> Supported crypto mechanisms include >> >> - DSA: sign/verify >> - RSA: encrypt/decrypt sign/verify >> >> 4.4 GNOME Keyring Cryptoki (PKCS#11) Support >> >> PKCS#11 is a standard that lets applications use encryption keys and >> certificates on devices like smart cards. gnome-keyring implements this >> standard and acts such a device, storing keys and certificates and >> making them available for applications to use. >> >> PKCS#11 deals directly with things like RSA/DSA signing operations, and >> certificate attributes. It's a bit low level. Usually one uses PKCS#11 >> through a cyrpto library like NSS. [5] >> >> PKCS#11 in gnome-keyring actually uses the libgcrypt crypto API to >> perform >> the actual crypto operations, nowhere in the keyring/pkcs11 code do they >> actually re-implement RSA or DSA key-generation or crypto functionality. >> >> >> 4.5. Interfaces: >> Exported Interfaces >> Interface Classification Comments >> --------------- -------------- >> ----------------------- >> SUNWgnome-libs Uncommitted Package name >> (unchanged) >> SUNWgnome-libs-devel Uncommitted Package name >> (unchanged) >> >> /usr/lib/libgnome-keyring.so Volatile Symbolic Link >> (unchanged) >> /usr/lib/libgnome-keyring.so.0 Volatile SONAME (changed) >> >> >> /us/share/gconf/schemas/ \ Volatile GCONF keys >> schemas that >> gnome-keyring.schemas defines the >> preferences for >> the tools (New) >> >> /usr/bin/gnome-keyring-daemon Volatile (unchanged) >> /usr/lib/gnome-keyring-ask Project Private (unchanged) >> >> /usr/lib/gnome-keyring/ \ Volatile (New) >> gnome-keyring-pkcs11.so >> >> /usr/lib/pkgconfig/ \ >> gnome-keyring-1.pc Volatile (unchanged) >> /usr/include/gnome-keyring-1/ \ >> gnome-keyring.h Volatile (unchanged) >> /usr/include/gnome-keyring-1/ \ >> gnome-keyring-memory.h Volatile (unchanged) >> /usr/include/gnome-keyring-1/ \ >> gnome-keyring-result.h Volatile (unchanged) >> >> ~/.gnome2/keyrings Project Private Location where >> keyrings >> are stored >> >> /usr/share/dbus-1/services/ \ Project >> org.gnome.keyring.service Private DBus service >> file (New) >> >> org.gnome.keyrings.Daemon Volatile DBus interface >> (session >> interface) >> org.gnome.keyrings.Daemon \ >> GetSocketPath Volatile DBus method, >> return >> socket path. >> Imported Interfaces >> Interface Classification Comments >> --------------- --------------- ----------------------- >> GTK+ Committed LSARC/2008/207 >> GLib Committed LSARC/2008/207 >> D-Bus Volatile LSARC/2006/368 >> libhal Volatile PSARC/2005/399 >> libgcrypt Volatile LSARC/2008/354 >> libtasn1 Volatile LSARC/2008/390 >> >> 4.6. Packaging & Delivery: >> >> No new packages are delivered. The two existing packages: >> SUNWgnome-libs(base package) - base package for >> binaries >> SUNWgnome-libs-devel (development package) - develoment package >> for >> >> 4.7 Security Impact: >> >> Please refer to [7]. >> >> 4.8 Dependencies: >> >> libtasn1 is a new imported interface. gnome-keyring makes use of >> libtasn1 to >> parse X509 certificate and general certificate. >> >> 5. References >> [1] New API storing passwords: >> http://live.gnome.org/GnomeKeyring/StoringPasswords >> [2] Homepage: >> http://live.gnome.org/GnomeKeyring >> [3] API document: >> http://library.gnome.org/devel/gnome-keyring/stable/ >> [4] GNOME 2.14 ARC: LSARC/2006/202/ >> [5] Configure other applications to use gnome-keyring certificates >> and keys: >> http://live.gnome.org/GnomeKeyring/ApplicationSetup >> [6] PCKS#11: http://live.gnome.org/GnomeKeyring/Cryptoki >> [7] GNOME 2.14 security questionnaire: >> >> http://sac.sfbay/LSARC/2006/202/updated.materials-3/security-questionnaire.txt >> >> >> 6. Resources and Schedule >> 6.4. Steering Committee requested information >> 6.4.1. Consolidation C-team Name: >> Desktop >> 6.5. ARC review type: FastTrack >> 6.6. ARC Exposure: open >> >> > >
