To me, secrets are fundamentally different from data (even confidential data) because they serve as a mean to authenticate you or authorize your utilisation of some services.
I guess the question is: should there be a dedicated folder for secrets or should they just be in XDG_DATA_HOME and manage differently by the applications (through your configuration) ? Jonas DOREL 6/7/19 5:57 PM, Simon McVittie wrote: > On Fri, 07 Jun 2019 at 15:19:25 +0200, Bardot Jérôme wrote: >> Le 06/06/2019 à 23:15, Jonas DOREL a écrit : >>> Currently, most secrets (SSH Keys, GPG Keys, OAuth token) seems to be >>> located in XDG_CONFIG_HOME. >> And they should not, secrets are data not config. (for me) > For what it's worth, gnome-keyring's maintainers seem to agree (it uses > XDG_DATA_HOME/keyrings). > >> For me as far as possible all /home data should have an as strict as >> possible policy. > Strict permissions are best-practice for all the XDG basedirs. The > basedir spec says that applications writing to the basedirs should create > XDG_CONFIG_HOME, XDG_DATA_HOME or XDG_CACHE_HOME with 0700 (rwx------) > permissions if they don't already exist. > >> if i do it for my emails, or my calendars, or my bookmark we need a >> strict policy behaviours. > Yes, emails, calendars and bookmarks are examples of things that tend > to contain private or sensitive information, and should not be readable > by other users unless the owner has specifically configured that. > In some cases these (especially emails) will contain passwords and > other secrets. > > If 0700 permissions and whatever encryption-at-rest your OS/machine might > have are not considered to be sufficient protection for a particular > secret (for example a GPG or SSH key), then I would recommend using a > USB cryptographic token (Nitrokey, Yubikey or similar) and not storing > it on disk at all. > > smcv _______________________________________________ xdg mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/xdg
