If there's any more issues with this case, please raise in 24 hours. I'll close this case as approved tomorrow, if there's no more discussion.
--Irene On Mon, 2008-07-14 at 15:07 +0100, Stephen Browne wrote: > John, > > gnome-keyring is started at each label the user instantiates a > workspace for. > > Stephen. > > > On Thu, 2008-07-10 at 06:59, Jeff Cai wrote: > > John Fischer wrote: > > > Jeff, > > > > > > Just a few questions... > > > > > > How does this work with Trusted Extensions? Will there > > > be a separate keyring per label? Has this been answered > > > previously in another ARC case? > > > > > This issue has not been discussed before. I think Stephen Browne can > > give more about it. > > > > > >> /usr/lib/gnome-keyring/ \ Volatile (New) > > >> gnome-keyring-pkcs11.so > > >> > > > > > > This appears to be a Project Private library as it is > > > hidden underneath /usr/lib/gnome-keyring directory. > > > Is that correct? If so then it should be declared as > > > Project Private. > > > > > As Darren has said, the library can be added by cryptoadm(1M) as a > > provider, so I'd like it to be a volatile interface. > > > It appears from the document that the default behavior > > > is to have the ssh agent turned off for Solaris. Thus > > > it will use OpenSSH. Is that correct? > > > > > Currently, ssh-agent is started in /usr/dt/config/Xsession.jds. Since > > gnome-session will also start gnome-keyring-daemon with ssh agent > > enabled, the start script of ssh-agent in Xsession.jds will be removed > > in case of the confliction. > > > > Jeff > > > Thanks, > > > > > > John > > > > > > On Tue, 2008-07-08 at 23:48, Shi-Ying Irene Huang wrote: > > > > > >> Template Version: @(#)sac_nextcase 1.66 04/17/08 SMI > > >> This information is Copyright 2008 Sun Microsystems > > >> 1. Introduction > > >> 1.1. Project/Component Working Name: > > >> gnome-keyring > > >> 1.2. Name of Document Author/Supplier: > > >> Author: Jeff Cai > > >> 1.3 Date of This Document: > > >> 08 July, 2008 > > >> 4. Technical Description > > >> 1. Introduction > > >> 1.1. Project/Component Working Name: > > >> > > >> GNOME Keyring > > >> > > >> 1.2. Name of Document Author/Supplier: > > >> > > >> Author: Jeff Cai > > >> Sponser: Irene Huang > > >> > > >> 1.3. Date of This Document: > > >> > > >> 07/09/2008 > > >> > > >> 1.4. Name of Major Document Customer(s)/Consumer(s): > > >> > > >> 1.4.1. The PAC or CPT you expect to review your project: > > >> > > >> Solaris PAC > > >> > > >> 1.4.2. The ARC(s) you expect to review your project: > > >> > > >> LSARC > > >> > > >> 1.4.3. The Director/VP who is "Sponsoring" this project: > > >> > > >> Robert O'Dea > > >> > > >> 1.4.4. The name of your business unit: > > >> > > >> Software - OPG > > >> > > >> 1.5. Email Aliases: > > >> 1.5.1. Responsible Manager: harry.lu at sun.com > > >> 1.5.2. Responsible Engineer: jeff.cai at sun.com > > >> 1.5.3. Marketing Manager: > > >> 1.5.4. Interest List: brian.cameron at sun.com > > >> darren.moffat at sun.com > > >> wyllys.ingersoll at sun.com > > >> > > >> 2. Project Summary > > >> 2.1. Project Description: > > >> > > >> GNOME Keyring is a system to store passwords and other sensitive data > > >> in a > > >> standardized way across all GNOME applications. > > >> > > >> A keyring stores a collection of encrypted passwords and encrypted > > >> information about those passwords. A user can have multiple keyrings, > > >> each > > >> for a different use, but there is a default one, called 'login'. > > >> There is > > >> also a special 'session' keyring which is not stored on disk and goes > > >> away > > >> when you log out. > > >> > > >> When a user logs into GNOME, the keyrings are locked and a master > > >> keyring > > >> password has to be provided in order to unlock each of them. > > >> > > >> This fast-track increments the version of gnome-keyring in Solaris > > >> from 2.20.3 to 2.22.3. > > >> > > >> 4. Technical Description: > > >> > > >> 4.1. Details: > > >> > > >> Compared with the previous version 2.20, following features have > > >> been added: > > >> > > >> - Basic X.509 certificate and key store. > > >> - PKCS#11 module for accessing cerfificates and keys. > > >> - Now includes an SSH agent. > > >> - Automatically activate keyring daemon via DBus if it is not already > > >> running. > > >> - Add a simpler API fro accessing and storing passwords. Older APIs > > >> exist too. Refer to [1] > > >> > > >> 4.2 GNOME Keyring SSH Agent > > >> > > >> GNOME Keyring includes an SSH agent which integrates with the > > >> gnome-keyring > > >> and user login for its passwords. It can also use the main X.509 > > >> private > > >> key store. > > >> > > >> GNOME Keyring will set the SSH_AUTH_SOCK environment variable when > > >> it > > >> starts up. > > >> > > >> The id_rsa and id_dsa files in ~/.ssh are automatically usable > > >> through the > > >> SSH agent without first 'loading' them. Other X.509 private keys > > >> marked > > >> with the 'ssh-authentication' purpose are also usable. > > >> > > >> Additional SSH keys can be manually loaded and managed via the > > >> ssh-add > > >> command. > > >> > > >> If you use another SSH agent(such as the ssh-agent included with > > >> OpenSSH), > > >> you may want to disable the SSH agent in GNOME Keyring to prevent > > >> ssh from > > >> using it instead of your prefered SSH agent. You can set > > >> /apps/gnome-keyring/daemon-components/ssh > > >> gconf key to false. This prevents the SSH component of gnome-keyring > > >> from > > >> starting up when the user logs in. > > >> > > >> The default GNOME start up script (/usr/dt/config/Xsession.jds) will > > >> be > > >> changed to NOT start up "under" ssh-agent like it does today and > > >> instead > > >> ensure the environment variables for the gnome-keyring version are > > >> set > > >> early enough. > > >> > > >> 4.3 GNOME Keyring Certificates and Encryption Keys > > >> > > >> The following paths are searched for encryption keys and certificate > > >> files. > > >> > > >> - ~/.ssh/id_?sa > > >> - ~/.gnome2/keystore/* > > >> > > >> Most standard file formats for keys and certificates are supported: > > >> > > >> Certificates > > >> > > >> * Standard DER encoded certificates. > > >> * Certificates contained in PKCS#7 files. > > >> * Certificates contained in PKCS#8 files. > > >> * PEM encodings of the above. > > >> > > >> Encryption Keys > > >> > > >> * PKCS#1 RSA keys. > > >> * PKCS#8 encrypted RSA and DSA keys. > > >> * DER encoded DSA keys. > > >> * PEM encodings of the above. > > >> * OpenSSL PEM encrypted keys. > > >> > > >> File Encryption and Password Algorithms > > >> > > >> PKCS#5 PBE > > >> > > >> * DES CBC MD2 > > >> * DES CBC MD5 > > >> * DES CBC SHA1 > > >> > > >> PKCS#5 PBE2 > > >> > > >> * DES CBC SHA1 > > >> * 3DES CBC SHA1 > > >> * RC2-128 CBC SHA1 > > >> > > >> PKCS#12 PBE > > >> > > >> * RC4-128 STREAM SHA1 > > >> * 3DES CBC SHA1 > > >> * RC2-128 CBC SHA1 > > >> * RC2-40 CBC SHA1 > > >> > > >> Supported crypto mechanisms include > > >> > > >> - DSA: sign/verify > > >> - RSA: encrypt/decrypt sign/verify > > >> > > >> 4.4 GNOME Keyring Cryptoki (PKCS#11) Support > > >> > > >> PKCS#11 is a standard that lets applications use encryption keys and > > >> certificates on devices like smart cards. gnome-keyring implements > > >> this > > >> standard and acts such a device, storing keys and certificates and > > >> making them available for applications to use. > > >> > > >> PKCS#11 deals directly with things like RSA/DSA signing operations, > > >> and > > >> certificate attributes. It's a bit low level. Usually one uses > > >> PKCS#11 > > >> through a cyrpto library like NSS. [5] > > >> > > >> PKCS#11 in gnome-keyring actually uses the libgcrypt crypto API to > > >> perform > > >> the actual crypto operations, nowhere in the keyring/pkcs11 code do > > >> they > > >> actually re-implement RSA or DSA key-generation or crypto > > >> functionality. > > >> > > >> > > >> 4.5. Interfaces: > > >> Exported Interfaces > > >> Interface Classification Comments > > >> --------------- -------------- > > >> ----------------------- > > >> SUNWgnome-libs Uncommitted Package > > >> name (unchanged) > > >> SUNWgnome-libs-devel Uncommitted Package > > >> name (unchanged) > > >> > > >> /usr/lib/libgnome-keyring.so Volatile Symbolic > > >> Link (unchanged) > > >> /usr/lib/libgnome-keyring.so.0 Volatile SONAME > > >> (changed) > > >> > > >> > > >> /us/share/gconf/schemas/ \ Volatile GCONF keys > > >> schemas that > > >> gnome-keyring.schemas defines the > > >> preferences for > > >> the tools > > >> (New) > > >> > > >> /usr/bin/gnome-keyring-daemon Volatile (unchanged) > > >> /usr/lib/gnome-keyring-ask Project Private (unchanged) > > >> > > >> /usr/lib/gnome-keyring/ \ Volatile (New) > > >> gnome-keyring-pkcs11.so > > >> > > >> /usr/lib/pkgconfig/ \ > > >> gnome-keyring-1.pc Volatile (unchanged) > > >> /usr/include/gnome-keyring-1/ \ > > >> gnome-keyring.h Volatile (unchanged) > > >> /usr/include/gnome-keyring-1/ \ > > >> gnome-keyring-memory.h Volatile (unchanged) > > >> /usr/include/gnome-keyring-1/ \ > > >> gnome-keyring-result.h Volatile (unchanged) > > >> > > >> ~/.gnome2/keyrings Project Private Location > > >> where keyrings > > >> are stored > > >> > > >> /usr/share/dbus-1/services/ \ Project > > >> org.gnome.keyring.service Private DBus > > >> service file (New) > > >> > > >> org.gnome.keyrings.Daemon Volatile DBus > > >> interface > > >> (session > > >> interface) > > >> org.gnome.keyrings.Daemon \ > > >> GetSocketPath Volatile DBus > > >> method, return > > >> socket > > >> path. > > >> Imported Interfaces > > >> Interface Classification Comments > > >> --------------- --------------- ----------------------- > > >> GTK+ Committed LSARC/2008/207 > > >> GLib Committed LSARC/2008/207 > > >> D-Bus Volatile LSARC/2006/368 > > >> libhal Volatile PSARC/2005/399 > > >> libgcrypt Volatile LSARC/2008/354 > > >> libtasn1 Volatile LSARC/2008/390 > > >> > > >> 4.6. Packaging & Delivery: > > >> > > >> No new packages are delivered. The two existing packages: > > >> SUNWgnome-libs(base package) - base package for > > >> binaries > > >> SUNWgnome-libs-devel (development package) - develoment > > >> package for > > >> > > >> 4.7 Security Impact: > > >> > > >> Please refer to [7]. > > >> > > >> 4.8 Dependencies: > > >> > > >> libtasn1 is a new imported interface. gnome-keyring makes use of > > >> libtasn1 to > > >> parse X509 certificate and general certificate. > > >> > > >> 5. References > > >> [1] New API storing passwords: > > >> http://live.gnome.org/GnomeKeyring/StoringPasswords > > >> [2] Homepage: > > >> http://live.gnome.org/GnomeKeyring > > >> [3] API document: > > >> http://library.gnome.org/devel/gnome-keyring/stable/ > > >> [4] GNOME 2.14 ARC: LSARC/2006/202/ > > >> [5] Configure other applications to use gnome-keyring > > >> certificates and keys: > > >> http://live.gnome.org/GnomeKeyring/ApplicationSetup > > >> [6] PCKS#11: http://live.gnome.org/GnomeKeyring/Cryptoki > > >> [7] GNOME 2.14 security questionnaire: > > >> > > >> http://sac.sfbay/LSARC/2006/202/updated.materials-3/security-questionnaire.txt > > >> > > >> > > >> 6. Resources and Schedule > > >> 6.4. Steering Committee requested information > > >> 6.4.1. Consolidation C-team Name: > > >> Desktop > > >> 6.5. ARC review type: FastTrack > > >> 6.6. ARC Exposure: open > > >> > > >> > > > > > >
