1Starting in 4.0 the keychain will be using content protection 2 3We will define 4 new classes for the keychain: 4 5Ak = non_exportable, uid_protection|pin_protection 6Ck = wrap_on_lock|unwrap_on_lock|non_exportable, uid_protection|pin_protection 7Dk = non_exportable, uid_protection 8Ek = wrap_on_lock|unwrap_on_lock|non_exportable, uid_protection|pin_protection 9 10A new attribute will be added to all keychain items allowing a caller 11to specify the content protection level. 12Caller will have a choice or class Ak, Ck, Dk or Ek protection for the 13items data. 14 15Consider whether or not to allow SecItemUpdate to change the protection class. 16 17Backup will no longer directly backup the keychain file, instead a new 18SecKeychainMigrate() SPI will be added which takes a keybag and a password and 19returns a keychain blob in which class A and C items are protected by the 20provided keybags A and C keys, and the class E key protected items will not 21migrate. 22 23Restore will pass the keychain file from an old backup or keychain blob 24returned by the new SPI and the backup keybag and password to securityd so 25items can be migrated back into the system keychain db. Class E items in the 26backup set will only get restored if they are decryptable (restore is to same 27device) otherwise they are discarded during the restore. 28 29 30Implementors notes: 31Migrate will take a db file needing to be upgraded or a keychain blob 32needing to be migrated into the system security domain. 33