Features/SystemCryptoDatabase

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Created page with '{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read...')
 
(Feature Name)
Line 7: Line 7:
  
 
= Feature Name =
 
= Feature Name =
<!-- The name of your feature -->
+
System Crypto Database
  
 
== Summary ==
 
== Summary ==
<!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->
+
Allow NSS applications to access a shared crytpto database for each user (where user specific keys and certificates are stored) as well as access to a shared system database where shared system configuration is stored.
  
 +
NSS upstream has defined the design for this here: [[
 
== Owner ==
 
== Owner ==
 
<!--This should link to your home wiki page so we know who you are-->
 
<!--This should link to your home wiki page so we know who you are-->
* Name: [[User:FASAcountName| Your Name]]
+
* Name: [[User:rrelyea| Bob relyea]]
  
 
<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or  technical issues need to be resolved-->
 
<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or  technical issues need to be resolved-->
* email: <your email address so we can contact you, invite you to meetings, etc.>
+
* email: rrelyea@redhat.com
  
 
== Current status ==
 
== Current status ==
* Targeted release: [[Releases/{{FedoraVersion||next}} | {{FedoraVersion|long|next}} ]]  
+
* Targeted release: [[Releases/{{12||next}} | {{12|long|next}} ]]  
* Last updated: (DATE)
+
* Last updated: June 22, 2009
* Percentage of completion: XX%
+
* Percentage of completion: 60%
  
 
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
 
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
  
 
== Detailed Description ==
 
== Detailed Description ==
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
+
See Upstream wiki page.
  
 +
Actual implementation will involve:
 +
1) picking up NSS upstream changes.
 +
2) Adding a Fedora module to initialize the Fedora definitions of where the user and system databases exist.
 +
3) [future] Fedora module could be replaced with an IPA specific module which uses IPA to configure where various applications and user store their databases.
 
== Benefit to Fedora ==
 
== Benefit to Fedora ==
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?-->
+
Applications can allow Fedora to configure much of their configuration information from a common location. Once in place it will be possible to configure all applications once without building one-off crypto configuration managers for each application. System can also handle common pem files as well.
  
 
== Scope ==
 
== Scope ==
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
+
Mostly my changes, as out-lined in the description. Once the feature is in place, applications can make minor changes to start using this new feature.
 
+
 
== How To Test ==
 
== How To Test ==
<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them. The more specific you can be, the better the community testing can be.  
+
Once in place, the feature can be tested with the NSS certutil command. Simply use certutil to list, add, and remove files from "sql:/etc/pki/nssdb" (that is specify -d sql:/etc/pki/nssdb on the certutil command line with the rest of the command), which would automatically trigger using the Fedora system locations.  
  
Remember that you are writing this how to for interested testers to use to check out your feature - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your feature.
+
If you own an application that uses NSS, you can change your application to open "sql:/etc/pki/nssdb" instead of your private NSS directory and you should have access to the user's shared keys.
  
A good "how to test" should answer these four questions:
+
Some applications can be faked out as well. I'll include instructions to convince FF and TB to use the system locations.
  
0. What special hardware / data / etc. is needed (if any)?
 
1. How do I prepare my system to test this feature? What packages
 
need to be installed, config files edited, etc.?
 
2. What specific actions do I perform to check that the feature is
 
working like it's supposed to?
 
3. What are the expected results of those actions?
 
-->
 
  
 
== User Experience ==
 
== User Experience ==
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
+
When completed, the User should be able to access any of his keys and certs from any application without copying .p12 or .pem files around.
  
 
== Dependencies ==
 
== Dependencies ==
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this feature depends?  In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel feature)? -->
+
nss 3.12.4 plus patches.
  
 
== Contingency Plan ==
 
== Contingency Plan ==
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. -->
+
If the feature is not complete, applications can continue to use their private directories to store keys and certificates into.
  
 
== Documentation ==
 
== Documentation ==
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
+
Yes, see link given above.
*
+
  
 
== Release Notes ==
 
== Release Notes ==
Line 69: Line 65:
  
 
== Comments and Discussion ==
 
== Comments and Discussion ==
* See [[Talk:Features/YourFeatureName]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
+
* See [[Talk:Features/YourFeatureName]]  
 
+
   
  
 
[[Category:FeaturePageIncomplete]]
 
[[Category:FeaturePageIncomplete]]

Revision as of 22:43, 20 July 2009

{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "edit" link.
Copy the source to a new page before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR FEATURE.}}


Contents

Feature Name

System Crypto Database

Summary

Allow NSS applications to access a shared crytpto database for each user (where user specific keys and certificates are stored) as well as access to a shared system database where shared system configuration is stored.

NSS upstream has defined the design for this here: [[

Owner

  • email: rrelyea@redhat.com

Current status

  • Targeted release: [[Releases/Template:12 | Template:12 ]]
  • Last updated: June 22, 2009
  • Percentage of completion: 60%


Detailed Description

See Upstream wiki page.

Actual implementation will involve: 1) picking up NSS upstream changes. 2) Adding a Fedora module to initialize the Fedora definitions of where the user and system databases exist. 3) [future] Fedora module could be replaced with an IPA specific module which uses IPA to configure where various applications and user store their databases.

Benefit to Fedora

Applications can allow Fedora to configure much of their configuration information from a common location. Once in place it will be possible to configure all applications once without building one-off crypto configuration managers for each application. System can also handle common pem files as well.

Scope

Mostly my changes, as out-lined in the description. Once the feature is in place, applications can make minor changes to start using this new feature.

How To Test

Once in place, the feature can be tested with the NSS certutil command. Simply use certutil to list, add, and remove files from "sql:/etc/pki/nssdb" (that is specify -d sql:/etc/pki/nssdb on the certutil command line with the rest of the command), which would automatically trigger using the Fedora system locations.

If you own an application that uses NSS, you can change your application to open "sql:/etc/pki/nssdb" instead of your private NSS directory and you should have access to the user's shared keys.

Some applications can be faked out as well. I'll include instructions to convince FF and TB to use the system locations.


User Experience

When completed, the User should be able to access any of his keys and certs from any application without copying .p12 or .pem files around.

Dependencies

nss 3.12.4 plus patches.

Contingency Plan

If the feature is not complete, applications can continue to use their private directories to store keys and certificates into.

Documentation

Yes, see link given above.

Release Notes

Comments and Discussion