[Authentication] Proposal for a common secrets handling in web browsers

Guillaume Martres smarter3 at gmail.com
Wed Jul 15 08:23:55 PDT 2009 

Hi all,
As an Arora[0] developer I am very interested in this project, as it will 
allow us to have cross-desktop password handling. Since this project is still 
at an early stage, I'd like to take the chance to standardize the way 
"secrets" will be stored by web browsers. In this post I'll almost only speak 
of forms handling since that's the most important part but the goal is to 
cover every "secret" a browser may have.
- General stuff:
* Add a "network" collection. KWallet already does that and this seems a good 
idea to keep things together and not clutter the default collection. It would 
be available using org.freedesktop.Secrets.Service.NetworkCollection

- Forms handling:
* Use the attribute "URL" to indicate the page where the form lies.
* Store every field content in a different item, as a secret. The label of the 
item will be the name of the field. If an item with the same label already 
exists, overwrite it.
* Use the encryption algorithm "plain" for every secret, except if it is a 
password field secret. In this case, use whatever encryption the specification 
recommends.

Here is some pseudocode(or more exactly pseudopython ;)) which illustrates the 
storing process:
===============================================
onFormSent(formUrl, fields):
    org.freedesktop.Secrets.Service.openSession()
    collection = org.freedesktop.Secrets.Service.NetworkCollection
    for fieldName, fieldType, fieldContent in fields:
        if fieldType == "password":
            algorithm = "MySecureAlgorithm"
            parameters = "unbreakable"
        else
            algorithm = "PLAIN"
            parameters = ""
        Secret secret = (algorithm, parameters, fieldContent)
        collection.createItem(dict("URL", formUrl), secret, fieldName, true)
===============================================

And the loading process:
===============================================
onFormLoaded(formUrl, fields):
    org.freedesktop.Secrets.Service.openSession()
    collection = org.freedesktop.Secrets.Service.NetworkCollection
    itemList = collection.searchItems(dict("URL", formUrl))
    for item in itemList:
        fields[item.Label] = item.Secret
===============================================

That's all for now. I hope this makes sense :).

[0] : http://arora-browser.org
-- 
Regards,
Guillaume Martres - https://launchpad.net/~smarter

More information about the Authentication mailing list