[Authentication] Some input
Dieter Plaetinck
dieter at plaetinck.be
Fri Jul 10 11:40:54 PDT 2009
hi, I applaud your effort to formalize & standardize this.
I gave
http://www.freedesktop.org/wiki/Specifications/secret-storage-spec?action=AttachFile&do=view&target=secrets-api-0.1.html
a quick read and have some input.
Typo's:
"Secrets may be to the client application and vice versa." # be what?
"It is strongly recommended that client applications use to find items
rather than recording the object path of a stored item" # use what?
"A client application must have opened a session before a collection
can be created. The" # the... ?
"and prevent storage plain text storage of secrets in a swap file or
other caching mechanism." #storage storage ?
And now the "real" input, which are mostly just thoughts that popped
into my head:
- configurable encryption for persistent storage? algo, key size etc.
gnupg integration?
- master password unlocks key, key unlocks data?
- can it be usable without dbus? some people don't like dbus. simple
CLI program to query the database?
- datastore : some kind of binary format?
- ACL for apps: a plaintext config maintained by user? maybe itself
stored within the secret storage? would apparmor/selinux/.. already
support something like this?
- unlocking ssh keys by unlocking the secret store? or the other way
around: unlocking the secret store with an ssh key? or hell..
make the secret store an ssh-agent ? gnupg? PAM ?
type master pass once, have ssh/gnupg/pam (login) for free?
- the previous could be taken a step further: some people have
encrypted blockdevices (hard disks) in Linux which they unlock at
boot time (or in initramfs for / ), could this be integrated somehow?
Good work so far and keep it up.
Dieter
More information about the Authentication
mailing list