Request for comments: GNOME Keychain

From: Mikael Hallendal <micke codefactory se>
To: GNOME Hackers <gnome-hackers gnome org>, GNOME Desktop Devel <desktop-devel-list gnome org>
Cc: hema seetharamaiah wipro com
Subject: Request for comments: GNOME Keychain
Date: 06 Aug 2002 14:24:43 +0200

Hi!

A while back I started looking some on implementing something similar to
Keychain Manager used in Mac OS X. Documentation at:
http://developer.apple.com/techpubs/macosx/Carbon/securityservices/keychainmanager/keychainmanager.html

Today Hema Seetharamaiah from Wipro asked me for progress mentioning
that they where going to start working on something similar. So I wanted
to post a mail about what I was planning and ask for feedback (and
possibly others that might be interested in helping out).

I was planning to write it with a similar architecture of GConf. A
daemon managing the keychains and a client C API which would be used by
the applications to retrieve the key items.

The daemon will be started when first needed (we might want to have the
default keychain unlocked at login time and the daemon would then start
running at login) until session ends.

What will happen when an application needs access to a certain keychain
item. Say Nautilus needs access to http://my.site.com/webdav so that it
can put a file there:

1) Nautilus notices that http://my.site.com/webdav needs a
username/password for write access.

2) It asks the GNOME keychain daemon (through the client API) for the
keychain item for write access to http://my.site.com/webdav.

3) The keychain daemon looks in it's unlocked keychains (if we have
support for multiple keychains).

4a) If the item is found it checks if Nautilus has access to get it.

4a.1) If Nautilus has access it returns the keychain item to Nautilus
where it can be used. The user wouldn't know that Nautilus
retrieved the information from the keychain daemon.

4a.2) If Nautilus doesn't have access a dialog is shown to the user
asking the user if Nautilus is allowed access. With the text
similar to "Nautilus asks for access to your key MyWebdav in
keychain Default, should it be granted Yes/No". The user can also
make sure that Nautilus is always allowed access to this key.

4b) If the key is not found in any of the unlocked keychains. The
keychain daemon looks in the locked keychains.

4b.1) If found, the user is presented with a dialog asking the user to
unlock the keychain. Something like: "Nautilus needs access to
key MyWebdav which is stored in locked keychain MySecureChain. If
you want to grant access to Nautilus you need to unlock the
keychain by giving your password. The item is then given to
Nautilus.

4b.2) If not found the item is not stored in any keychain. The user is
shown a dialog where he can enter the needed information. He can
then choose to store it in his default keychain or just store it
in a session-only keychain (in which case it will never be
written to disk).

A tool for managing the keychains, like remove keychain items, move an
item from one keychain to another, ..., needs to be written too.

This is just initial thoughts, what do you think?

Regards,
Mikael Hallendal

--
Mikael Hallendal micke codefactory se
CodeFactory AB http://www.codefactory.se/
Office: +46 (0)8 587 583 05 Cell: +46 (0)709 718 918

Follow-Ups:
- Re: Request for comments: GNOME Keychain
  - From: Hema Seetharamaiah
- Re: Request for comments: GNOME Keychain
  - From: Michael Meeks
- Re: Request for comments: GNOME Keychain
  - From: Ian McKellar

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]