[Authentication] Proposal for a common secrets handling in web browsers

Dieter Plaetinck dieter at plaetinck.be
Wed Jul 15 09:21:53 PDT 2009 

On Wed, 15 Jul 2009 17:23:55 +0200
Guillaume Martres <smarter3 at gmail.com> wrote:

> Hi all,
> As an Arora[0] developer I am very interested in this project, as it will 
> allow us to have cross-desktop password handling. Since this project is still 
> at an early stage, I'd like to take the chance to standardize the way 
> "secrets" will be stored by web browsers. In this post I'll almost only speak 
> of forms handling since that's the most important part but the goal is to 
> cover every "secret" a browser may have.
> - General stuff:
> * Add a "network" collection. KWallet already does that and this seems a good 
> idea to keep things together and not clutter the default collection. It would 
> be available using org.freedesktop.Secrets.Service.NetworkCollection
> 
> - Forms handling:
> * Use the attribute "URL" to indicate the page where the form lies.
> * Store every field content in a different item, as a secret. The label of
> the item will be the name of the field. If an item with the same label
> already exists, overwrite it.
> * Use the encryption algorithm "plain" for every secret, except if it is a 
> password field secret. In this case, use whatever encryption the
> specification recommends.
> 
> Here is some pseudocode(or more exactly pseudopython ;)) which illustrates
> the storing process:
> ===============================================
> onFormSent(formUrl, fields):
>     org.freedesktop.Secrets.Service.openSession()
>     collection = org.freedesktop.Secrets.Service.NetworkCollection
>     for fieldName, fieldType, fieldContent in fields:
>         if fieldType == "password":
>             algorithm = "MySecureAlgorithm"
>             parameters = "unbreakable"
>         else
>             algorithm = "PLAIN"
>             parameters = ""
>         Secret secret = (algorithm, parameters, fieldContent)
>         collection.createItem(dict("URL", formUrl), secret, fieldName, true)
> ===============================================
> 
> And the loading process:
> ===============================================
> onFormLoaded(formUrl, fields):
>     org.freedesktop.Secrets.Service.openSession()
>     collection = org.freedesktop.Secrets.Service.NetworkCollection
>     itemList = collection.searchItems(dict("URL", formUrl))
>     for item in itemList:
>         fields[item.Label] = item.Secret
> ===============================================
> 
> That's all for now. I hope this makes sense :).
> 
> [0] : http://arora-browser.org

Be careful with "one item per field". I think it may be better to store "groups of fields" as items.
Because in a login form, a username and password belong together. and you may have multiple pairs of username-password.
likewise for forms where you fill in your name, address etc.  you may have different "groups of values" (although some values might be constant, such as your name)

Dieter

More information about the Authentication mailing list