Request for comments: GNOME Keychain


A while back I started looking some on implementing something similar to
Keychain Manager used in Mac OS X. Documentation at:

Today Hema Seetharamaiah from Wipro asked me for progress mentioning
that they where going to start working on something similar. So I wanted
to post a mail about what I was planning and ask for feedback (and
possibly others that might be interested in helping out).

I was planning to write it with a similar architecture of GConf. A
daemon managing the keychains and a client C API which would be used by
the applications to retrieve the key items.

The daemon will be started when first needed (we might want to have the
default keychain unlocked at login time and the daemon would then start
running at login) until session ends.

What will happen when an application needs access to a certain keychain
item. Say Nautilus needs access to so that it
can put a file there:

1) Nautilus notices that needs a 
   username/password for write access.

2) It asks the GNOME keychain daemon (through the client API) for the 
   keychain item for write access to

3) The keychain daemon looks in it's unlocked keychains (if we have 
   support for multiple keychains).

4a) If the item is found it checks if Nautilus has access to get it.

 4a.1) If Nautilus has access it returns the keychain item to Nautilus 
       where it can be used. The user wouldn't know that Nautilus
       retrieved the information from the keychain daemon.

 4a.2) If Nautilus doesn't have access a dialog is shown to the user
       asking the user if Nautilus is allowed access. With the text
       similar to "Nautilus asks for access to your key MyWebdav in
       keychain Default, should it be granted Yes/No". The user can also
       make sure that Nautilus is always allowed access to this key.

4b) If the key is not found in any of the unlocked keychains. The 
    keychain daemon looks in the locked keychains.

 4b.1) If found, the user is presented with a dialog asking the user to
       unlock the keychain. Something like: "Nautilus needs access to 
       key MyWebdav which is stored in locked keychain MySecureChain. If
       you want to grant access to Nautilus you need to unlock the 
       keychain by giving your password. The item is then given to 

 4b.2) If not found the item is not stored in any keychain. The user is 
       shown a dialog where he can enter the needed information. He can
       then choose to store it in his default keychain or just store it
       in a session-only keychain (in which case it will never be
       written to disk).

A tool for managing the keychains, like remove keychain items, move an
item from one keychain to another, ..., needs to be written too.

This is just initial thoughts, what do you think?

  Mikael Hallendal

Mikael Hallendal                micke codefactory se
CodeFactory AB        
Office: +46 (0)8 587 583 05     Cell: +46 (0)709 718 918

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]