gnome-keyring [LSARC/2008/430 FastTrack timeout 07/15/2008]
Stephen Browne
Stephen.Browne at sun.com
Mon Jul 14 07:07:28 PDT 2008
John,
gnome-keyring is started at each label the user instantiates a workspace
for.
Stephen.
On Thu, 2008-07-10 at 06:59, Jeff Cai wrote:
> John Fischer wrote:
> > Jeff,
> >
> > Just a few questions...
> >
> > How does this work with Trusted Extensions? Will there
> > be a separate keyring per label? Has this been answered
> > previously in another ARC case?
> >
> This issue has not been discussed before. I think Stephen Browne can
> give more about it.
> >
> >> /usr/lib/gnome-keyring/ \ Volatile (New)
> >> gnome-keyring-pkcs11.so
> >>
> >
> > This appears to be a Project Private library as it is
> > hidden underneath /usr/lib/gnome-keyring directory.
> > Is that correct? If so then it should be declared as
> > Project Private.
> >
> As Darren has said, the library can be added by cryptoadm(1M) as a
> provider, so I'd like it to be a volatile interface.
> > It appears from the document that the default behavior
> > is to have the ssh agent turned off for Solaris. Thus
> > it will use OpenSSH. Is that correct?
> >
> Currently, ssh-agent is started in /usr/dt/config/Xsession.jds. Since
> gnome-session will also start gnome-keyring-daemon with ssh agent
> enabled, the start script of ssh-agent in Xsession.jds will be removed
> in case of the confliction.
>
> Jeff
> > Thanks,
> >
> > John
> >
> > On Tue, 2008-07-08 at 23:48, Shi-Ying Irene Huang wrote:
> >
> >> Template Version: @(#)sac_nextcase 1.66 04/17/08 SMI
> >> This information is Copyright 2008 Sun Microsystems
> >> 1. Introduction
> >> 1.1. Project/Component Working Name:
> >> gnome-keyring
> >> 1.2. Name of Document Author/Supplier:
> >> Author: Jeff Cai
> >> 1.3 Date of This Document:
> >> 08 July, 2008
> >> 4. Technical Description
> >> 1. Introduction
> >> 1.1. Project/Component Working Name:
> >>
> >> GNOME Keyring
> >>
> >> 1.2. Name of Document Author/Supplier:
> >>
> >> Author: Jeff Cai
> >> Sponser: Irene Huang
> >>
> >> 1.3. Date of This Document:
> >>
> >> 07/09/2008
> >>
> >> 1.4. Name of Major Document Customer(s)/Consumer(s):
> >>
> >> 1.4.1. The PAC or CPT you expect to review your project:
> >>
> >> Solaris PAC
> >>
> >> 1.4.2. The ARC(s) you expect to review your project:
> >>
> >> LSARC
> >>
> >> 1.4.3. The Director/VP who is "Sponsoring" this project:
> >>
> >> Robert O'Dea
> >>
> >> 1.4.4. The name of your business unit:
> >>
> >> Software - OPG
> >>
> >> 1.5. Email Aliases:
> >> 1.5.1. Responsible Manager: harry.lu at sun.com
> >> 1.5.2. Responsible Engineer: jeff.cai at sun.com
> >> 1.5.3. Marketing Manager:
> >> 1.5.4. Interest List: brian.cameron at sun.com
> >> darren.moffat at sun.com
> >> wyllys.ingersoll at sun.com
> >>
> >> 2. Project Summary
> >> 2.1. Project Description:
> >>
> >> GNOME Keyring is a system to store passwords and other sensitive data in a
> >> standardized way across all GNOME applications.
> >>
> >> A keyring stores a collection of encrypted passwords and encrypted
> >> information about those passwords. A user can have multiple keyrings, each
> >> for a different use, but there is a default one, called 'login'. There is
> >> also a special 'session' keyring which is not stored on disk and goes away
> >> when you log out.
> >>
> >> When a user logs into GNOME, the keyrings are locked and a master keyring
> >> password has to be provided in order to unlock each of them.
> >>
> >> This fast-track increments the version of gnome-keyring in Solaris
> >> from 2.20.3 to 2.22.3.
> >>
> >> 4. Technical Description:
> >>
> >> 4.1. Details:
> >>
> >> Compared with the previous version 2.20, following features have been added:
> >>
> >> - Basic X.509 certificate and key store.
> >> - PKCS#11 module for accessing cerfificates and keys.
> >> - Now includes an SSH agent.
> >> - Automatically activate keyring daemon via DBus if it is not already
> >> running.
> >> - Add a simpler API fro accessing and storing passwords. Older APIs
> >> exist too. Refer to [1]
> >>
> >> 4.2 GNOME Keyring SSH Agent
> >>
> >> GNOME Keyring includes an SSH agent which integrates with the gnome-keyring
> >> and user login for its passwords. It can also use the main X.509 private
> >> key store.
> >>
> >> GNOME Keyring will set the SSH_AUTH_SOCK environment variable when it
> >> starts up.
> >>
> >> The id_rsa and id_dsa files in ~/.ssh are automatically usable through the
> >> SSH agent without first 'loading' them. Other X.509 private keys marked
> >> with the 'ssh-authentication' purpose are also usable.
> >>
> >> Additional SSH keys can be manually loaded and managed via the ssh-add
> >> command.
> >>
> >> If you use another SSH agent(such as the ssh-agent included with OpenSSH),
> >> you may want to disable the SSH agent in GNOME Keyring to prevent ssh from
> >> using it instead of your prefered SSH agent. You can set
> >> /apps/gnome-keyring/daemon-components/ssh
> >> gconf key to false. This prevents the SSH component of gnome-keyring from
> >> starting up when the user logs in.
> >>
> >> The default GNOME start up script (/usr/dt/config/Xsession.jds) will be
> >> changed to NOT start up "under" ssh-agent like it does today and instead
> >> ensure the environment variables for the gnome-keyring version are set
> >> early enough.
> >>
> >> 4.3 GNOME Keyring Certificates and Encryption Keys
> >>
> >> The following paths are searched for encryption keys and certificate files.
> >>
> >> - ~/.ssh/id_?sa
> >> - ~/.gnome2/keystore/*
> >>
> >> Most standard file formats for keys and certificates are supported:
> >>
> >> Certificates
> >>
> >> * Standard DER encoded certificates.
> >> * Certificates contained in PKCS#7 files.
> >> * Certificates contained in PKCS#8 files.
> >> * PEM encodings of the above.
> >>
> >> Encryption Keys
> >>
> >> * PKCS#1 RSA keys.
> >> * PKCS#8 encrypted RSA and DSA keys.
> >> * DER encoded DSA keys.
> >> * PEM encodings of the above.
> >> * OpenSSL PEM encrypted keys.
> >>
> >> File Encryption and Password Algorithms
> >>
> >> PKCS#5 PBE
> >>
> >> * DES CBC MD2
> >> * DES CBC MD5
> >> * DES CBC SHA1
> >>
> >> PKCS#5 PBE2
> >>
> >> * DES CBC SHA1
> >> * 3DES CBC SHA1
> >> * RC2-128 CBC SHA1
> >>
> >> PKCS#12 PBE
> >>
> >> * RC4-128 STREAM SHA1
> >> * 3DES CBC SHA1
> >> * RC2-128 CBC SHA1
> >> * RC2-40 CBC SHA1
> >>
> >> Supported crypto mechanisms include
> >>
> >> - DSA: sign/verify
> >> - RSA: encrypt/decrypt sign/verify
> >>
> >> 4.4 GNOME Keyring Cryptoki (PKCS#11) Support
> >>
> >> PKCS#11 is a standard that lets applications use encryption keys and
> >> certificates on devices like smart cards. gnome-keyring implements this
> >> standard and acts such a device, storing keys and certificates and
> >> making them available for applications to use.
> >>
> >> PKCS#11 deals directly with things like RSA/DSA signing operations, and
> >> certificate attributes. It's a bit low level. Usually one uses PKCS#11
> >> through a cyrpto library like NSS. [5]
> >>
> >> PKCS#11 in gnome-keyring actually uses the libgcrypt crypto API to perform
> >> the actual crypto operations, nowhere in the keyring/pkcs11 code do they
> >> actually re-implement RSA or DSA key-generation or crypto functionality.
> >>
> >>
> >> 4.5. Interfaces:
> >> Exported Interfaces
> >> Interface Classification Comments
> >> --------------- -------------- -----------------------
> >> SUNWgnome-libs Uncommitted Package name (unchanged)
> >> SUNWgnome-libs-devel Uncommitted Package name (unchanged)
> >>
> >> /usr/lib/libgnome-keyring.so Volatile Symbolic Link (unchanged)
> >> /usr/lib/libgnome-keyring.so.0 Volatile SONAME (changed)
> >>
> >>
> >> /us/share/gconf/schemas/ \ Volatile GCONF keys schemas that
> >> gnome-keyring.schemas defines the preferences for
> >> the tools (New)
> >>
> >> /usr/bin/gnome-keyring-daemon Volatile (unchanged)
> >> /usr/lib/gnome-keyring-ask Project Private (unchanged)
> >>
> >> /usr/lib/gnome-keyring/ \ Volatile (New)
> >> gnome-keyring-pkcs11.so
> >>
> >> /usr/lib/pkgconfig/ \
> >> gnome-keyring-1.pc Volatile (unchanged)
> >> /usr/include/gnome-keyring-1/ \
> >> gnome-keyring.h Volatile (unchanged)
> >> /usr/include/gnome-keyring-1/ \
> >> gnome-keyring-memory.h Volatile (unchanged)
> >> /usr/include/gnome-keyring-1/ \
> >> gnome-keyring-result.h Volatile (unchanged)
> >>
> >> ~/.gnome2/keyrings Project Private Location where keyrings
> >> are stored
> >>
> >> /usr/share/dbus-1/services/ \ Project
> >> org.gnome.keyring.service Private DBus service file (New)
> >>
> >> org.gnome.keyrings.Daemon Volatile DBus interface
> >> (session interface)
> >> org.gnome.keyrings.Daemon \
> >> GetSocketPath Volatile DBus method, return
> >> socket path.
> >> Imported Interfaces
> >> Interface Classification Comments
> >> --------------- --------------- -----------------------
> >> GTK+ Committed LSARC/2008/207
> >> GLib Committed LSARC/2008/207
> >> D-Bus Volatile LSARC/2006/368
> >> libhal Volatile PSARC/2005/399
> >> libgcrypt Volatile LSARC/2008/354
> >> libtasn1 Volatile LSARC/2008/390
> >>
> >> 4.6. Packaging & Delivery:
> >>
> >> No new packages are delivered. The two existing packages:
> >> SUNWgnome-libs(base package) - base package for binaries
> >> SUNWgnome-libs-devel (development package) - develoment package for
> >>
> >> 4.7 Security Impact:
> >>
> >> Please refer to [7].
> >>
> >> 4.8 Dependencies:
> >>
> >> libtasn1 is a new imported interface. gnome-keyring makes use of libtasn1 to
> >> parse X509 certificate and general certificate.
> >>
> >> 5. References
> >> [1] New API storing passwords:
> >> http://live.gnome.org/GnomeKeyring/StoringPasswords
> >> [2] Homepage:
> >> http://live.gnome.org/GnomeKeyring
> >> [3] API document: http://library.gnome.org/devel/gnome-keyring/stable/
> >> [4] GNOME 2.14 ARC: LSARC/2006/202/
> >> [5] Configure other applications to use gnome-keyring certificates and keys:
> >> http://live.gnome.org/GnomeKeyring/ApplicationSetup
> >> [6] PCKS#11: http://live.gnome.org/GnomeKeyring/Cryptoki
> >> [7] GNOME 2.14 security questionnaire:
> >> http://sac.sfbay/LSARC/2006/202/updated.materials-3/security-questionnaire.txt
> >>
> >>
> >> 6. Resources and Schedule
> >> 6.4. Steering Committee requested information
> >> 6.4.1. Consolidation C-team Name:
> >> Desktop
> >> 6.5. ARC review type: FastTrack
> >> 6.6. ARC Exposure: open
> >>
> >>
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.opensolaris.org/pipermail/opensolaris-arc/attachments/20080714/c39ffa1d/attachment.html>
More information about the opensolaris-arc
mailing list