[Posted to list only] On 2013-03-25, at 8:02 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> Another nice thing Apple have done, which no-one else has > managed so far, is to get people to actively use the Keychain API and > capabilities. I just looked in my login (default) OS X Keychain for "Application Passwords" that aren't from Apple supplied applications. I found 27 distinct applications used. (I suspect that I also have a bunch of "Login Passwords" that are tied to non-Apple applications as well, but don't have a convenient way to count these). The first versions of 1Password (the password management software I've involved with) used the OS X Keychain for the site passwords we stored. (There were reasons why we moved away from the OS X keychain, most notably because MobileMe syncing of keychains wasn't reliable). It used a distinct Keychain from the user's login Keychain. In later versions of 1Password we used the OS X keychain only for the purposes that Keyspace seems designed for. We had different components that needed to talk to each other security (The stuff that ran the browser plug-ins and the main application). So using the OS X Keychain to restrict some data to specific applications was a good solution for us. Now, with browser sandboxing and extension requirements, we can't use that same technique (we can't write pure JavaScript extensions that make use of the OS X Keychain, and so now use a websocket daemon running on localhost) and we want a solution that works across platforms. So something like Keyspace may be the sort of thing we will have to rely on. We are also looking at whitebox cryptography so that at least we will have some theory behind how good (or bad) our obfuscation is. Basically, we'd love to have access to something like the OS X Keychain everywhere. It worked, and we didn't have to develop our own techniques for managing secrets needed by multiple related applications. Cheers, -j –- Jeffrey Goldberg Chief Defender Against the Dark Arts @ AgileBits http://agilebits.com _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography