Havoc Pennington wrote: > Anyway, I'm thinking about how to clean up the password-storage situation. > > Here is the current situation: > - Pidgin just sticks passwords in plain text in app-specific XML files > - Gossip does the same thing, plain text in XML files > - Firefox has its whole own thing, though they have plans to use the > Keychain on OS X they are not planning to use gnome-keyring according > to possibly-outdated wiki page: > http://wiki.mozilla.org/Firefox:Password_Manager
I believe the epiphany guys have been working on this, at some point: http://bugzilla.gnome.org/show_bug.cgi?id=130336 > - BigBoard puts things in gnome-keyring > > Looking in gnome-keyring-manager, there's barely anything in there. Yeah, one big problem with gnome-keyring was the problem of having to enter your password twice, which really bugged users. I hope that with the PAM integration in 2.20, this major excuse for not using gnome-keyring will be no more. Evolution, for example, has gnome-keyring support but is rarely compiled with it due to the above. > Looking at gnome-keyring-manager does hint at one problem, though; > gnome-keyring is too "policy free" and free-form. It provides a shared > password facility, but no real guideline for _how_ to store the > passwords or how to find the password for a particular thing or > particular site. Yes a spec does seem necessary to help coordinate what is stored in each of the individual attributes. We ran into this problem with seahorse and gnome-gpg, each of which wanted to store passwords for PGP keys in the keyring. We probably also want to add one or more keyring item types, eg: for web form data. The current list of item types: GNOME_KEYRING_ITEM_GENERIC_SECRET GNOME_KEYRING_ITEM_NETWORK_PASSWORD GNOME_KEYRING_ITEM_NOTE > - have some mechanism for "smart deductions," like "I can guess you > have an XMPP account that matches your google.com username/password" - > maybe this just has to be in the apps, not sure Along with what Alan said, pushing this too far down the stack opens up many possibilities for password retrieval attacks, like the recent spate of attacks that exploited this in Firefox and Safari. Cheers, Stef Walter _______________________________________________ desktop-devel-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/desktop-devel-list
