On Mon, Feb 26, 2007 at 05:36:04PM -0800, Darren.Reed at Sun.COM wrote: > Nicolas Williams wrote: > >... > >Applications like Gaim could also do what ssh(1) does: encrypt secrets > >in some passphrase and prompt the user for the passphrase instead of the > >actual secret. Firefox supports this, for example. > > Right. The idea is that rather than have n applications doing > it "their own way", provide a common API or place for them > to put said data.
That I don't dispute. If nothing else it helps make sure that the crypto is done right. GNOME has a keyring manager that might be relevant here. I do, however, object to putting NWAM and Gaim in the same category. What you propose does little or nothing for NWAM, but plenty for Gaim. > >... > >System applications ultimately have to store secrets in hardware tokens > >or in cleartext locally. Scrambling such secrets doesn't help. > > I disagree. Between those black and white options, there are > quite a few "grey" ones inbetween. Yes, there is some grey. Encrypted ZFS boot, for example, would secure system secrets while the system is not running. Nico --
