WWDC2000 Session 168

Transcript

Kind: captions
Language: en
so as bill said i'm kevin macleod and i
work on this thing called keychain which
we're going to go through today so
hopefully we have some exciting stuff to
tell you about much more exciting than
what's going on next door we'll give you
a quick overview of what the keychain is
and then we'll update you since we
talked to you last year about what's
been going on with the keychain will
tell you about the key chain manager
api's and answer your questions about
where they fit with carbon and where
they are on OS 10 and then at the end
we'll tell you where we're going with
the api's and finally we'll have a demo
of course and QA hopefully what so
you'll take away from the session is a
knowledge of what the keychain provides
for you and especially what api's would
be in carbon so you can go out and add
keychain support to your application so
what is the key chain the keychain is a
repository that's secure analogy I use
is a bank vault the bank's vault door
closes and things you put in there
secure the things we put in there are
passwords cryptographic keys digital
certificates the bits of information
that sort of authenticate you or private
bits of data that unlock other things or
you know decrypt pieces of data the
keychain is built on top of this
framework called cdsa which is the
common data security architecture that
originated at Intel and that's an open
group standard I believe they've
announced plans to open source their
implementation the key chain has a
really neat feature and that it enables
its clients to provide something called
transparent authentication that's the
ability to log in one and then any
servers and things that you have
passwords stored in your keychain for
you'll just be able to connect to them
transfer
currently through clients that use the
key chain the key chain is first
introduced and shipped with mac OS 9 and
it's available there and going forward
of course on 10 and later so let's
define some terms that are important
when talking about key chains key chain
is always in one of two states it's
either locked or it's unlocked and when
it's locked you can't retrieve data from
the keychain you need to unlock it in
order to do that every stored password
or key or certificate things that are in
the keychain we call keychain items and
go into a little bit these things which
all keychain items have in common then
we have this notion of the default key
chain that's the one if you have
multiple key chains that's the one where
new items are added so a system can have
more than one key chain you can have
some locks some unlocked put some types
of keys or server passwords in one and
and copy one to the server you know and
use it over the network if you want
typically we see the two there's one key
chain per user that's certainly the
ability to have more than one that's
their key chains can be set to lock
automatically so you don't have to go
off for example leave your desk and
worry about whether or not someone can
come up and access things that are in
your keychain and the key chain is
scriptable so everything that you can
access through the keychain API you can
get out through applescript keychain
files can be moved around from one
machine to the other which makes them
very useful you can take your keychain
from work to home and and have it
available there you can have it on the
network at this point I have to
tell you that key chains will not be
portable between nine and ten now that
was a decision that we do not make
lightly and part of the reason is that
the key chains on OS and I'm use
encryption algorithm which is patented
and we're trying to move away from we're
trying to get rid of any things that
prevent us from open sourcing that's at
some point in the future but when you go
from nine base keychains to 10 base
keychains we hope to provide some kind
of updater that will just convert them
so you can go easily but if that's going
to be a problem please let us know about
it like I said keychain files can be on
servers you can use them over the
network and you can hit use them unlock
media so you can open a keychain
read-only most important for where we're
going in the future the cdsa
architecture on which the keychain is
built allows you to have key chains on
smart cards and removable tokens these
things just appear as keychains to
clients with the keychain API and when
there are modules to plug in to the
underlying PDSA architecture to support
these types of things we actually have
one working but as there are other ones
that are provided these things just show
up and you can use them in the keychain
so lots actually happened since last
year we're in OS 9 and not just shipping
but we're actually an integral part of
it there are a lot of system components
that use the key chain and are tied to
it if you use the Apple share client
you'll know that it can store passwords
in the keychain and the other components
like network browser and even airport
and Apple file security AFF all use the
key chain for password storage we ship
the security SDK which includes the
keychain and URL access and Macintosh
file signing and the CMS technology
cryptographic message syntax and all
those things are available now hopefully
some of you have had a chance to look at
and use them play with it copy that URL
down because a lot of good stuff there
the keychain is now in BP for if you've
had a chance to install that the api's
are in there still kind of a development
release still working on it and it
requires you to link to the security a
chai framework in order to actually get
at the keychain api that wont to stay
the case we're very close to actually
having this fully in carbon on both 9
and 10 just missed the BP for train but
so you can still use CP for again if you
link with security HRM work so this is a
map of where the api's are and where you
can call them from it's actually a
pretty important slide on the left hand
side our legacy apps which are your pre
carbon mac OS and I on applications and
the AP is that are there are those that
we shipped with mac OS 9 the key chain
you will access i sign which is
Macintosh file signing and the CMS api's
all those are still there in classic and
they're built on top of cdsa 1.2
so those apps will just work in classic
OS 10 and they'll continue to work on
Mac OS 9 of course the middle block
carbon applications sort of straddle
this line between mac OS 9 and mac OS 10
the api is that are in carbon will be
key chain and URL access so carbonized
application that can run on nine or on
10 can make use of those ap is one thing
that we did after Mac OS 9 when we sort
of look toward the future and
integrating with those 10 is how to
factor the pieces functionality that we
had in keychain API and make it
available for you know not just carbon
applications but you know bsd unix
applications coco app across the board
and when weari architected this we
realized that a number of things had to
be separated out especially key in
certificate management and things that
required keys and certificates so Mac OS
10 apps as a category or those
applications that will only run on mac
OS 10 that could include your cocoa apps
your bsd unix abs and also carbon
applications that make use of those
api's such as file signing and the piece
there that we're calling security Corps
which includes keychain api's and some
newer versions of those AP is that you
can use from lower levels and that don't
require UI which I'll get into a little
bit again those applications 10
applications and carbon applications
that you're running on 10 sit on top of
the CD s a 2.0 API and that's a big step
forward from 1.2 in the amount of things
that lets us do it lets us have for
example something called access control
lists so that each individual item in
your keychain can be protected
separately and
you can allow certain applications to
access certain items and not access
other items and all those things are
sort of enabled by CBS a two point oh so
your application you want to use the
keychain API what can you store in the
keychain there are three basic classes
of items that go into the keychain keys
passwords and certificates and each of
those classes has subclasses of items
that we support the middle column their
passwords is what the keychain API is
primarily focused on in this release and
in carbon every keychain item has two
components they have attributes and they
have data the data in this case in this
example is just a password but there are
additional attributes that sort of hang
on to that password and allow you to
find it again in this example I have my
account name can and a server and a pass
on that server these are all this bits
of data that you can attach to the
password and that help you find it so
all these items that are in the keychain
have these common attributes the
collapse of the item the date created
the date modified every item has a label
the thing that shows up when you view it
in keychain access as a description and
a comment which is all optional within
those subclasses of course every item
has additional attributes that you can
look at internet password items for
example have a server name associated
with them and things like the protocol
that's used for that particular password
attributes as I said are used just to
find the item the actual thing that
you're storing in the keychain which are
keeping secure is the data the items
data can't be searched you can't look
for all items that have a particular
password because wouldn't be too secure
you can't get the data out unless the
keychain is unlock and you can't
retrieve the data of an item without the
user's explicit permission now what's
that cement in the past if you've had a
chance to play with a key chain on OS 9
is that every time you go to get
something out of the keychain a dialog
pops up and asks you do you want to
allow access to this item that's been a
problem if for no other reason than
users just get conditioned to hit the
enter key every time so we're moving
away from that dialogue it would come up
and go more than once and we're going
toward the ability to let you
pre-configure access for your items in
particular very important cryptographic
keys private keys and symmetric keys the
data of those items can never be
retrieved from a keychain so how secure
is the key chain well for one and I
think this is pretty important it
doesn't actually depend on the machines
physical security it's stored in an
encrypted format so you don't have to
write down your passwords or store them
in a preference this file or store them
you know on a sticky note somewhere on
your disk the keychain file itself is
encrypted and the password that unlocks
your keychain is never stored anywhere
on disk what we do is run it through an
algorithm called PK or PB kdf to which
is specified in our essays p kc f 5
standard and what that does is it
derives a key every time from your
keychain password a little bit about the
encryption that's used and again I said
that we were trying to move away from
what we were using a mac OS 9
to something a little better on OS 10
that did not prevent us from at some
point in the future doing what Darwin
has done the current plan is to use
triple deaths although I've talked to
some of you and some of you brought this
up in another session that there are
perhaps other algorithms that we can use
so we were certainly looking forward to
any feedback that you have about to
about that now normally a keychain is
unlocked with a password the dialog box
comes up and it asks me to unlock the
key chain you type in the password and
then the keychain is unlocked and items
can be retrieved if you type the wrong
password in every time you do that the
delay grows between the amount of the
time when that dialogue can come up
again and new passwords are accepted so
this sort of prevents a systematic
attack sort of the virtual user type
thing where it just types him the
password into the dialogue over and over
we allow programmatic unlock in OS 9 it
was limited essentially if you use the
programmatic API to unlock the key chain
and you've got the password wrong the
first time that was it you have to
restart in order to try that again and
but you know effectively shut down that
opportunity but it also prevented a lot
of people from acting as an intermediary
to let the user unlock a keychain that
perhaps your applications we've created
so no it's 10 we're going to move to a
mechanism that allows that same sort of
exponential delay between failures to
prevent the attack now again data of the
items can't be retrieved without some
sort of explicit permission that the
user has granted this permission can be
given on a per item basis a per process
basis or entire keychain you can say
always allow everything in this keychain
to be accessed
without without bothering me again in OS
9 we had a problem identifying processes
it would be nice to say okay always lets
my web browser or my mail client access
the password in the keychain don't
bother me problem was when that client
quit something else could start up and
say hey I'm the mail client give me the
password and there was actually no
mechanism at nine to prevent that so in
10 we can actually do a digest a
cryptographic digest of the process
store that and securely allow in a
pre-configured manner access to key
chain items now cryptographic keys in
your keychain in 9 optionally required a
password in order to use them not just
to unlock the key chain itself to get at
them but every time you want to use them
the CD SI 2 point 0 API and Mac OS 10 is
going to allow us to provide that sort
of per item protection optionally for
every item in your keychain so what can
you do with the keychain well if your
application at any point ask the user
for a password and needs to store it
somewhere you can store that password in
a keychain instead of having to worry
about how you're going to encrypt it or
where you're going to store it and also
you really want to allow the user the
opportunity to save off the password
that you've asked for so that in the
future they can come back and they don't
have to type the password over and over
as they access whatever it is it needs
the password and you can also store keys
and certificates this is a piece of
functionality that is moving out of the
keychain API and carbon to that other
box that I showed on the previous slide
that's going to be a mac OS 10
oh gee so let's go over the AP is that
are in carbon there are high-level calls
which are very easy to get started with
those high-level calls actually have
some underlying low-level routines to do
bits and pieces of functionality that
you may need the API allows you to
search for items that's its primary sort
of purpose there to find and then there
are API routines to let you manage
keychain and finally there's the ability
to notify when something has occurred
with the keychain whether it's a
keychain unlocking or a particular items
being accessed you can register and get
notifications for those sorts of events
so the first thing you need to do is
call this routine key chain manager
available reason for that is that it may
not be there if your application is a
carbon application running on say 8.1
the keychain is not going back that far
but your application can still be
running as a carbon app so you need to
test for it to make sure that its
present you also don't need to
explicitly create a keychain to get
started with unless your application
needs to for some reasons but the
preferred ways to let the user be in
charge of that if you need to store
something in a keychain you can just
store it and all of the sort of
housekeeping it's setting up a keychain
will be taken care of for you by the API
and then finally you'll just use the
high-level call to find the password in
the keychain so there are three basic
API routines to get a password fine
Apple share password internet password
and generic and all of these take a
number of attributes that you're looking
for maybe a server name an account name
and will return the password to you
and conversely we have those actually
should say add instead of fine but we
have the similar routines for adding a
single password to the default key chain
so just mentally replace the word find
in each of those with ADD and you have
the idea so those high level calls are
actually made up of a number of sort of
individual factored pieces when you're
calling add internet password to put
something into the keychain it's
actually doing the work of all of those
items that you see there on the right
hand side to set up the item to
associate it with a keychain to
associate the attributes you passed in
and finally to update it and write it
out to the keychain storage so the new
item call will create a new keychain
item and when you do that it's just in
memory and it's not associated with any
particular key chain you want to add it
to a keychain you'll call add item and
you'll always access items through a KC
item rep that's sort of the common
denominator the format's that all items
whether their keys passwords or
certificates can be manipulated through
you'll use get attribute to retrieve a
particular attribute from an item and
set attribute to change the attribute
and the same thing with the data get
data will retrieve the data of the item
it's that data will change it when
you've changed an item whether you've
added new attributes to it or change
them or change the data you'll want to
call update item which actually commits
the change it writes it to the keychain
and finally when you're done with an
item you can release the memories of the
item occupies by calling kc release item
if you need to define more than one item
in the key chain you can use fine first
item and find next item fairly
straightforward they take a list of
attributes things that you're searching
for and they'll return a search
reference to you so you can continue to
call find next item as you need to
define items that match your search
criteria and then when you're all done
you call release search now as I said
before most of the time you want to
allow the user to create their own key
chains but there are calls when you need
to create a keychain yourself and when
you need to sort of iterate through the
key change perhaps you're looking for a
particular key chain with a particular
set of attributes you'll access those
through a Casey rep Casey ref is an
opaque structure currently everything on
the system is a key chain file but
that's changing and it's very important
not to assume the casey ref or keychain
is actually an FF spec or a file on the
system because it could be a smart card
it could be any kind of device that's
pluggable into the CDF a layer on the
bottom they've against status routine
you'll probably actually use that when
you need to determine whether a keychain
is locked unlocked whether it has read
only access before you try to store
something in it for example and other
status flags keychain name returns like
it says the name of the keychain you'll
use count keychains to figure out how
many key chains are available and get in
the keychain which is get indexed
keychain will return a particular key
chain out of that list given an index
so this is an interesting part of the
API notification when anything happens
in the keychain you can be notified and
take some sort of action maybe you want
to write a logging apps that logs all
accesses to the keychain you can do it
with this what you do is register a
callback procedure with Casey add call
back and you can give it a bit mask that
specifies the actual events that you're
interested in receiving you don't have
to deal with all of these but will tell
you when a keeps you in unlocks what it
locks when something's added when
someone does a search and the item is
found will certainly tell you when
someone retrieves an item that's the get
data event will tell you when an item is
deleted updated and will tell you when
the default key chain has been changed
when you're all done and you don't want
these events anymore you can call Casey
remove call back and then you won't get
them so here's a real simplified example
of a routine that your application might
call I have a connect to server routine
and the two parameters there are the
server that I'm connecting to and who I
want to connect as what my account name
is so the first thing I do there
actually the first thing I do would be
to call key chain manager available but
that's just sort of assumed so i can
call Casey find internet password and
the things that I'm interested in what I
want to look up this password are of
course the server name so I'll pass that
in I don't actually care about the
security domain which is a string so
i'll leave that mill i could specify a
particular constants there i do want to
look for a particular account name that
matches I really don't care about
associating a particular port so I'll
pass any port this is an HTTP password
so there's a constant that I'll pass him
that says I only want an HTTP password
use the default authtype authentication
type there may be different
authentication types that you can
associate with the same server and you
can
distinguish them with that parameter
then I'll pass in a buffer that I
pre-allocated and the length of that
buffer when the call returns assuming
that a password is found that buffer
will be filled out with the password
data and then actual length will contain
the length of that data so then if that
all went well and i found a password the
return the return value status is going
to be no error and so i can just connect
if it's not i need to look at that do
something else ask the user for a
password with my own UI whatever I need
to do there and then finally at the end
I've got a password and I can connect I
said that everything you can do from a
capi you can also do from applescript
with the keychain here's a real simple
example I have the first internet key of
the current keychain the huge claws at
the end there is doing all my searching
so i can add attributes like whose
account is can and whose server is ftp
apple com I can string a list of those
together to sort of specify the item I'm
looking for and if the item is in the
keychain it'll be returned in the item
and then i can get particular attributes
from the item such as password of the
item and then this sample just displays
the password which is obviously not
something that's a you ever want to do
so which keychain AP is are actually in
carbon well the good news is the things
that we're in universal interface is 3.3
it's legal or up to 33 1 or 2 3 actually
all of those calls with two exceptions
are part of carbon so those will be
there they'll be there in carbon lib and
they'll be there in carbon frame work on
10 we had a key chain 1 point 0 API I
know
some of you in this room actually used
it and unfortunately it didn't actually
ship until we were at keychain two point
oh but you know we we put in some code
that actually kept key chain one point O
working and everything was supported on
OS 9 with some exceptions which were
noted at the time and going forward into
town that will be removed there is a
document in that security SDK that give
you the ftp URL for that actually
details the changes from one point 0 to
2 point 0 and the things that you need
to be careful not to do I think the
primary one is not to use a key change
specification that you always want to
use a kc r f which is that opaque
reference and that allows things like
smart cards and other other forms of key
chain to work so we'll be in carbon with
1.1 on OS 9 i think that we may actually
be in there even as we speak in the
current d build of 1.1 the next sort of
build cycle will get that in so it's
eminently there and on OS 10 will be on
the carbon frame work in deep before as
i said before you need to currently
linked against an additional framework
security H I but certainly by the
timeless thing is reaches public beta we
will be fully integrated
so what do you have to do right now to
use the key chain well there's a list
here first of all the current interfaces
define this weird symbol calling
keychain but not in carbon which is kind
of a mouthful it's a workaround so if
you define it to true you'll get all of
the keychain calls the caveat there is
that as well as defining that you need
to link to one of two libraries online
you need to link still with keychain lib
until that 1.1 build of carbon lip is
done and on 10 you need to link against
security a chai framework so right now
today there's not the ability to have a
CFM binary that you can just build
online and take over to 10 and that will
run using the keychain but certainly
that will be possible by by public data
I should also point out that DP for does
mean developer preview and it is a
preview we are not done and one of the
things we're not done with is the
encryption so you may we will definitely
need to know that the script encryption
has been disabled in DP for so do not
rely on key changes you create in DP for
to be secure just a warning so moving
forward we actually plan to take those
api's that we added teaching on OS 9 and
move them into a factor them into a way
that they can be called from
applications that don't bring a few I
that was sort of a problem that we had
with the current release you were forced
in some cases to bring up you I to
unlock a keychain if the key chain was
was locked in order to do anything if
your app couldn't bring up you I then
that was a problem
another problem was that there was no
way to add items to a specific key chain
all items went through the default key
chain whatever that happened to be so we
needed to correct that going forward on
10 these api's will be part of security
Corps and part of the OS 10 frameworks
they won't necessarily be in carbon as
we move forward the api's that we have
there in place now are certainly in
carbon but the new key and certificate
management based things that will
interoperate with the key chain r OS 10
only so the first part of those new API
routines solves that problem of what can
happen or what needs to happen if you
can't bring up any you I can unlock or
authenticate and we had a routine and we
still have a routine in the SDK called
stead interaction allowed which lets you
turn on or off any user interface coming
up problem of course is that you turn
that off and the keychain is locked then
we just returned an error and that's not
very useful so the new api's will
require credentials to be provided and
this is something that is again
supported by the underlying framework
the CD s a framework that will built on
top o'the in OS 10 so the AP is will let
you provide some sort of credential
which can be either a password it can be
a token it can be as simple as Cheers
you know the process that I am did I
have a digest that was pre-approved
there will be a call back where you can
provide that information with the key
chain needs without popping up a
dialogue when it needs it ultimately we
want to move towards certificates as a
way of authenticating that the items can
be retrieved and sort of verifying the
identity of the process that is trying
to retrieve them another problem that we
had is how to add an item to a
particular key chain what you had to do
previously is to save off the default
keychain whenever you were going to add
something to your own key chain you'd
have to set it as the default you'd have
to clip the item in and then sort of
swap it back to to save the users or
restore the users default key change
that was pretty messy so the new API is
in OS then we'll have an optional
keychain parameter so I mentioned the
keys and certificates ap is that were
part of key chain in OS 9 we really only
had two API routines and I'm not aware
of any one that actually used them
please come up afterwards if you use
them and heavily depend on these but to
factor out these and be able to as I
said look forward to being able to take
advantage of the CD s a 2 point 0
features as well as the possibility of
open sourcing some of these components
we've had to move mr. tific handling out
of key chain proper so these two
routines will not be there going forward
and can they'll still be available
online and they'll still be available at
classic but to we'd like you to get away
from using them and use the ones that
will have going forward the new routines
will be provided as part of that
security core piece which is an OS 10
technology one big reason we want to do
this is to avoid dependence on carbon so
if you are for example a bsd unix app
you don't want to depend on carbon have
all this and i don't know in every case
whether it's even possible to have that
dependent so
what this all means is that we're not
taking away keys and certificates
they'll still be there and they'll still
be visible in your keychain they'll just
be put in from a different sort of
vector you won't call add in a keychain
you'll add from the security Corps api's
and you'll even add from the lower level
cdsa p is if you want to go down that
far and use those all the cdsa headers
are available there on the open group's
website which is open groups or get
believe I have a URL for them later on
in this talk but you can look at those
certainly and items in a keychain are
certainly accessible at that layer we
are working on higher level interface is
obviously to sit on top of those which
will to be available by public beta I'm
sorry those are actually the ones that
we're working on for the release right
after public beta so this is the part
I've been looking forward to and mostly
because I know that there's no way max
phone can pop up so it's a it's going to
be good if we could have demo one up on
the screen I can actually go to that
okay great
so the first thing I'll do is look at
keychain access this is the new keychain
access maybe some of you have actually
already have stalled dp4 and it's had a
chance to see this then it looks a lot
like the keychain access that's an OS 9
except of course it's carbonized and it
has the aqua look and feel so i can have
columns that resize and all those neat
things that you get with the with aqua
carbon when we shipped OS 9 we listened
to a lot of feedback of us and there was
a lot of user feedback and of course
number one was why doesn't my web
browser support the keychain but number
two was how do I get something into the
keychain and there was no clear way yes
you could drag mounted servers into the
keychain you know and you could add
passwords there it wasn't real parent
how you would you know store something
for example you know credit card number
or you know the password to your etrade
account or you know these bits of data
that people have been writing down their
palm pilots and sticky notes wasn't real
clear how to get that in so we've got an
advil and that just allows you to put in
your account name and a location maybe
this is the password for my wwc demo and
i'll type it in add it and then i can
get a password in that way and it
becomes a little more useful for people
to use another feature that we've added
to keychain access is the ability to
manage your key chains a little better
than you could before so for example you
may have a list of two or three key
chains or you may have a dozen key
change and maybe you don't want all of
them to be searched when applications
call finds and applications are looking
for things in your keychain do you have
the ability to turn on or off whether
these things are included in the search
and you'll have the ability to reorder
the search order from a dialog so these
are things are working on of
what I'd like to do now is run the
carbonized version of fetch thanks to
Jim Matthews this is ftp client for the
Mac that's carbonized and I have a
shortcut here actually that goes to a
server that I have an account on so when
I double-click that fetch like most
clients needs a password for the server
because it's a password-protected
account so it pops up a password dialog
but in this password dialog is a check
box that lets me as the user decide
whether or not i want to add my password
to the keychain and that's actually very
important you don't want to force people
to use the keychain you always want to
give them the option so I'll add that a
log in to my server if I sort of go back
to keychain access here I'd say that
it's added a password for that server to
the keychain so I can look at it see
that it's in fact the internet password
see the URL the account and this looks
an awful lot again like OS 9 what's not
there and what we are working on is
those access control lists that I
mentioned so given that item I want to
be able to allow fetch of course and you
know perhaps some of my other clients to
access that item and you know don't bug
me about it again everybody else you
know that wants that item bug me but
certainly I want those clients to be
able have access so we're going to add
in this dialog the ability to build up a
list pre-approve pre-configure those
clients that have access so I'll close
the connection to the server and of
course the next time fetch needs to
access it I can just open it and it
doesn't pop any password dialog because
he's called find internet password and
it was there in the keychain so he was
able to use it and I can close the
connection again and I can open it again
and still no password I can do that all
day long of course I can also remove
this password from the keychain if I
don't want it to be used anymore
and then bitch can't use it because it's
not there and it has to ask again so
that's just a basic demo of keychain
land in OS 10 and we could have the
slides back we can wrap up so just to
wrap up the keychain is a repository
it's like a like a bank vault like a
safe it's the place that you can put
your your secure data anna has provided
for you as a system service so your
application doesn't have to do all the
work associated with making these things
secure and hopefully even for asking for
the data that you need to authenticate
it's very easy to use you really only
need two to three calls to get your
application using this and you can get
started now you can get started with TP
for the api's are there again with the
one note that you need to link with
security a chai framework and certainly
the security SDK is out there for nine
which you can also look at so
unfortunately the problem with this
slide is that everything's already
happened but you really if you can want
to take a look at security directions
that gives you more information and i'm
not sure what the media the the session
will be available in afterwards but if
you get a chance to look at a recorded
version of that it's very important to
see how cdsa 2 point 0 fits in for more
information we have the SDK available on
the website and we have updated
documentation so you should all look at
the PDF file it's up on the carbon the
tech club's carbon website and the
documentation is also available in HTML
format on the DP for CD so if you look
in that thang system
documentation in that path you'll find
all of the key chain manager
documentation if you're interested in
sort of drilling down and getting to the
CD sa API layer cdsa is documented at
the open group's website I can go there
for more info and if you are interested
in developing smartcard plugins or the
ability to have these things show up as
keychains that was talked about of
course in the security directions
session but for more info take a look at
the pc SC workgroup website
you