[Authentication] Proposal for a common secrets handling in web browsers

Guillaume Martres smarter3 at gmail.com
Wed Jul 15 08:23:55 PDT 2009

Hi all,
As an Arora[0] developer I am very interested in this project, as it will 
allow us to have cross-desktop password handling. Since this project is still 
at an early stage, I'd like to take the chance to standardize the way 
"secrets" will be stored by web browsers. In this post I'll almost only speak 
of forms handling since that's the most important part but the goal is to 
cover every "secret" a browser may have.
- General stuff:
* Add a "network" collection. KWallet already does that and this seems a good 
idea to keep things together and not clutter the default collection. It would 
be available using org.freedesktop.Secrets.Service.NetworkCollection

- Forms handling:
* Use the attribute "URL" to indicate the page where the form lies.
* Store every field content in a different item, as a secret. The label of the 
item will be the name of the field. If an item with the same label already 
exists, overwrite it.
* Use the encryption algorithm "plain" for every secret, except if it is a 
password field secret. In this case, use whatever encryption the specification 

Here is some pseudocode(or more exactly pseudopython ;)) which illustrates the 
storing process:
onFormSent(formUrl, fields):
    collection = org.freedesktop.Secrets.Service.NetworkCollection
    for fieldName, fieldType, fieldContent in fields:
        if fieldType == "password":
            algorithm = "MySecureAlgorithm"
            parameters = "unbreakable"
            algorithm = "PLAIN"
            parameters = ""
        Secret secret = (algorithm, parameters, fieldContent)
        collection.createItem(dict("URL", formUrl), secret, fieldName, true)

And the loading process:
onFormLoaded(formUrl, fields):
    collection = org.freedesktop.Secrets.Service.NetworkCollection
    itemList = collection.searchItems(dict("URL", formUrl))
    for item in itemList:
        fields[item.Label] = item.Secret

That's all for now. I hope this makes sense :).

[0] : http://arora-browser.org
Guillaume Martres - https://launchpad.net/~smarter

More information about the Authentication mailing list