On Sat, 2007-04-14 at 16:56 +0000, Nate Nielsen wrote: > Kirioss wrote: > > I'm not sure I understand what will be possible with this new > function. Will > > it be possible to unlock automatically the keyring when the user logon (to > > avoid multiple passwords) and let NetworkManager (wireless and VPN) take the > > certificate in the keyring without the need, for the user, to know any pin > > code to unlock the private key ? > > Yes, among other things, that's the eventual goal. >
I have been digesting this thread for a while and thinking about the half written code I have from last fall. I still think that the proper way for us to unlock passwords on login is by using the following workflow. 1) Keyrings have a property called on_login 2) There is a system generated keyring for each user called Login 3) If you set the property on_login on the keyring it's name and password are stored in the Login keyring. 4) Then I can write pam_keyring to always use the Login keyring, unlock that with the system password and systematically go through and unlock every keyring it has a secret for. This makes it easy to have multiple keyrings. I have keyrings for personal, work, and system secrets. This allows me to replicate different keyrings to different machines, without putting all my secrets on that machine. I have thought about per application keyrings, but that seems a little over-kill. The above approach also gives you the ability to have different passphrases for different certs, or services. They are retrievable if you forget them but remember your system passphrase. It also gives you only one passphrase (the one to unlock the Login keyring) to keep in sync with your system passphrase. So if something happens and they get out of sync you don't have to update 20 different passwords to get things back sync'd up and unlocking on login properly. Comments? Jon _______________________________________________ desktop-devel-list mailing list [EMAIL PROTECTED] http://mail.gnome.org/mailman/listinfo/desktop-devel-list
