John, gnome-keyring is started at each label the user instantiates a workspace for.
Stephen. On Thu, 2008-07-10 at 06:59, Jeff Cai wrote: > John Fischer wrote: > > Jeff, > > > > Just a few questions... > > > > How does this work with Trusted Extensions? Will there > > be a separate keyring per label? Has this been answered > > previously in another ARC case? > > > This issue has not been discussed before. I think Stephen Browne can > give more about it. > > > >> /usr/lib/gnome-keyring/ \ Volatile (New) > >> gnome-keyring-pkcs11.so > >> > > > > This appears to be a Project Private library as it is > > hidden underneath /usr/lib/gnome-keyring directory. > > Is that correct? If so then it should be declared as > > Project Private. > > > As Darren has said, the library can be added by cryptoadm(1M) as a > provider, so I'd like it to be a volatile interface. > > It appears from the document that the default behavior > > is to have the ssh agent turned off for Solaris. Thus > > it will use OpenSSH. Is that correct? > > > Currently, ssh-agent is started in /usr/dt/config/Xsession.jds. Since > gnome-session will also start gnome-keyring-daemon with ssh agent > enabled, the start script of ssh-agent in Xsession.jds will be removed > in case of the confliction. > > Jeff > > Thanks, > > > > John > > > > On Tue, 2008-07-08 at 23:48, Shi-Ying Irene Huang wrote: > > > >> Template Version: @(#)sac_nextcase 1.66 04/17/08 SMI > >> This information is Copyright 2008 Sun Microsystems > >> 1. Introduction > >> 1.1. Project/Component Working Name: > >> gnome-keyring > >> 1.2. Name of Document Author/Supplier: > >> Author: Jeff Cai > >> 1.3 Date of This Document: > >> 08 July, 2008 > >> 4. Technical Description > >> 1. Introduction > >> 1.1. Project/Component Working Name: > >> > >> GNOME Keyring > >> > >> 1.2. Name of Document Author/Supplier: > >> > >> Author: Jeff Cai > >> Sponser: Irene Huang > >> > >> 1.3. Date of This Document: > >> > >> 07/09/2008 > >> > >> 1.4. Name of Major Document Customer(s)/Consumer(s): > >> > >> 1.4.1. The PAC or CPT you expect to review your project: > >> > >> Solaris PAC > >> > >> 1.4.2. The ARC(s) you expect to review your project: > >> > >> LSARC > >> > >> 1.4.3. The Director/VP who is "Sponsoring" this project: > >> > >> Robert O'Dea > >> > >> 1.4.4. The name of your business unit: > >> > >> Software - OPG > >> > >> 1.5. Email Aliases: > >> 1.5.1. Responsible Manager: harry.lu at sun.com > >> 1.5.2. Responsible Engineer: jeff.cai at sun.com > >> 1.5.3. Marketing Manager: > >> 1.5.4. Interest List: brian.cameron at sun.com > >> darren.moffat at sun.com > >> wyllys.ingersoll at sun.com > >> > >> 2. Project Summary > >> 2.1. Project Description: > >> > >> GNOME Keyring is a system to store passwords and other sensitive data > >> in a > >> standardized way across all GNOME applications. > >> > >> A keyring stores a collection of encrypted passwords and encrypted > >> information about those passwords. A user can have multiple keyrings, > >> each > >> for a different use, but there is a default one, called 'login'. There > >> is > >> also a special 'session' keyring which is not stored on disk and goes > >> away > >> when you log out. > >> > >> When a user logs into GNOME, the keyrings are locked and a master > >> keyring > >> password has to be provided in order to unlock each of them. > >> > >> This fast-track increments the version of gnome-keyring in Solaris > >> from 2.20.3 to 2.22.3. > >> > >> 4. Technical Description: > >> > >> 4.1. Details: > >> > >> Compared with the previous version 2.20, following features have been > >> added: > >> > >> - Basic X.509 certificate and key store. > >> - PKCS#11 module for accessing cerfificates and keys. > >> - Now includes an SSH agent. > >> - Automatically activate keyring daemon via DBus if it is not already > >> running. > >> - Add a simpler API fro accessing and storing passwords. Older APIs > >> exist too. Refer to [1] > >> > >> 4.2 GNOME Keyring SSH Agent > >> > >> GNOME Keyring includes an SSH agent which integrates with the > >> gnome-keyring > >> and user login for its passwords. It can also use the main X.509 > >> private > >> key store. > >> > >> GNOME Keyring will set the SSH_AUTH_SOCK environment variable when it > >> starts up. > >> > >> The id_rsa and id_dsa files in ~/.ssh are automatically usable through > >> the > >> SSH agent without first 'loading' them. Other X.509 private keys > >> marked > >> with the 'ssh-authentication' purpose are also usable. > >> > >> Additional SSH keys can be manually loaded and managed via the ssh-add > >> command. > >> > >> If you use another SSH agent(such as the ssh-agent included with > >> OpenSSH), > >> you may want to disable the SSH agent in GNOME Keyring to prevent ssh > >> from > >> using it instead of your prefered SSH agent. You can set > >> /apps/gnome-keyring/daemon-components/ssh > >> gconf key to false. This prevents the SSH component of gnome-keyring > >> from > >> starting up when the user logs in. > >> > >> The default GNOME start up script (/usr/dt/config/Xsession.jds) will > >> be > >> changed to NOT start up "under" ssh-agent like it does today and > >> instead > >> ensure the environment variables for the gnome-keyring version are set > >> early enough. > >> > >> 4.3 GNOME Keyring Certificates and Encryption Keys > >> > >> The following paths are searched for encryption keys and certificate > >> files. > >> > >> - ~/.ssh/id_?sa > >> - ~/.gnome2/keystore/* > >> > >> Most standard file formats for keys and certificates are supported: > >> > >> Certificates > >> > >> * Standard DER encoded certificates. > >> * Certificates contained in PKCS#7 files. > >> * Certificates contained in PKCS#8 files. > >> * PEM encodings of the above. > >> > >> Encryption Keys > >> > >> * PKCS#1 RSA keys. > >> * PKCS#8 encrypted RSA and DSA keys. > >> * DER encoded DSA keys. > >> * PEM encodings of the above. > >> * OpenSSL PEM encrypted keys. > >> > >> File Encryption and Password Algorithms > >> > >> PKCS#5 PBE > >> > >> * DES CBC MD2 > >> * DES CBC MD5 > >> * DES CBC SHA1 > >> > >> PKCS#5 PBE2 > >> > >> * DES CBC SHA1 > >> * 3DES CBC SHA1 > >> * RC2-128 CBC SHA1 > >> > >> PKCS#12 PBE > >> > >> * RC4-128 STREAM SHA1 > >> * 3DES CBC SHA1 > >> * RC2-128 CBC SHA1 > >> * RC2-40 CBC SHA1 > >> > >> Supported crypto mechanisms include > >> > >> - DSA: sign/verify > >> - RSA: encrypt/decrypt sign/verify > >> > >> 4.4 GNOME Keyring Cryptoki (PKCS#11) Support > >> > >> PKCS#11 is a standard that lets applications use encryption keys and > >> certificates on devices like smart cards. gnome-keyring implements this > >> standard and acts such a device, storing keys and certificates and > >> making them available for applications to use. > >> > >> PKCS#11 deals directly with things like RSA/DSA signing operations, and > >> certificate attributes. It's a bit low level. Usually one uses PKCS#11 > >> through a cyrpto library like NSS. [5] > >> > >> PKCS#11 in gnome-keyring actually uses the libgcrypt crypto API to > >> perform > >> the actual crypto operations, nowhere in the keyring/pkcs11 code do > >> they > >> actually re-implement RSA or DSA key-generation or crypto > >> functionality. > >> > >> > >> 4.5. Interfaces: > >> Exported Interfaces > >> Interface Classification Comments > >> --------------- -------------- > >> ----------------------- > >> SUNWgnome-libs Uncommitted Package name > >> (unchanged) > >> SUNWgnome-libs-devel Uncommitted Package name > >> (unchanged) > >> > >> /usr/lib/libgnome-keyring.so Volatile Symbolic Link > >> (unchanged) > >> /usr/lib/libgnome-keyring.so.0 Volatile SONAME > >> (changed) > >> > >> > >> /us/share/gconf/schemas/ \ Volatile GCONF keys > >> schemas that > >> gnome-keyring.schemas defines the > >> preferences for > >> the tools > >> (New) > >> > >> /usr/bin/gnome-keyring-daemon Volatile (unchanged) > >> /usr/lib/gnome-keyring-ask Project Private (unchanged) > >> > >> /usr/lib/gnome-keyring/ \ Volatile (New) > >> gnome-keyring-pkcs11.so > >> > >> /usr/lib/pkgconfig/ \ > >> gnome-keyring-1.pc Volatile (unchanged) > >> /usr/include/gnome-keyring-1/ \ > >> gnome-keyring.h Volatile (unchanged) > >> /usr/include/gnome-keyring-1/ \ > >> gnome-keyring-memory.h Volatile (unchanged) > >> /usr/include/gnome-keyring-1/ \ > >> gnome-keyring-result.h Volatile (unchanged) > >> > >> ~/.gnome2/keyrings Project Private Location > >> where keyrings > >> are stored > >> > >> /usr/share/dbus-1/services/ \ Project > >> org.gnome.keyring.service Private DBus service > >> file (New) > >> > >> org.gnome.keyrings.Daemon Volatile DBus > >> interface > >> (session > >> interface) > >> org.gnome.keyrings.Daemon \ > >> GetSocketPath Volatile DBus method, > >> return > >> socket path. > >> Imported Interfaces > >> Interface Classification Comments > >> --------------- --------------- ----------------------- > >> GTK+ Committed LSARC/2008/207 > >> GLib Committed LSARC/2008/207 > >> D-Bus Volatile LSARC/2006/368 > >> libhal Volatile PSARC/2005/399 > >> libgcrypt Volatile LSARC/2008/354 > >> libtasn1 Volatile LSARC/2008/390 > >> > >> 4.6. Packaging & Delivery: > >> > >> No new packages are delivered. The two existing packages: > >> SUNWgnome-libs(base package) - base package for > >> binaries > >> SUNWgnome-libs-devel (development package) - develoment package > >> for > >> > >> 4.7 Security Impact: > >> > >> Please refer to [7]. > >> > >> 4.8 Dependencies: > >> > >> libtasn1 is a new imported interface. gnome-keyring makes use of > >> libtasn1 to > >> parse X509 certificate and general certificate. > >> > >> 5. References > >> [1] New API storing passwords: > >> http://live.gnome.org/GnomeKeyring/StoringPasswords > >> [2] Homepage: > >> http://live.gnome.org/GnomeKeyring > >> [3] API document: > >> http://library.gnome.org/devel/gnome-keyring/stable/ > >> [4] GNOME 2.14 ARC: LSARC/2006/202/ > >> [5] Configure other applications to use gnome-keyring certificates > >> and keys: > >> http://live.gnome.org/GnomeKeyring/ApplicationSetup > >> [6] PCKS#11: http://live.gnome.org/GnomeKeyring/Cryptoki > >> [7] GNOME 2.14 security questionnaire: > >> > >> http://sac.sfbay/LSARC/2006/202/updated.materials-3/security-questionnaire.txt > >> > >> > >> 6. Resources and Schedule > >> 6.4. Steering Committee requested information > >> 6.4.1. Consolidation C-team Name: > >> Desktop > >> 6.5. ARC review type: FastTrack > >> 6.6. ARC Exposure: open > >> > >> > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/opensolaris-arc/attachments/20080714/c39ffa1d/attachment.html>
