[Authentication] Proposal for a common secrets handling in web browsers

Guillaume Martres smarter3 at gmail.com
Wed Jul 15 09:43:39 PDT 2009


Le mercredi 15 juillet 2009 18:14:28, Michael Leupold a écrit :
> > * Use the encryption algorithm "plain" for every secret, except if it is
> > a password field secret. In this case, use whatever encryption the
> > specification recommends.
>
> The algorithm is meant to be "per session" meaning the client and the
> server negotiate it at the start of a session. This means every secret
> transmitted will use the same algorithm. Note that this does not affect how
> items are stored. (on a sidenote: all of KWallet effectively uses PLAIN
> right now :)).
Oh, ok, in that case one item per field seems alright. Your change to the 
Secret structure to not specify the algorithm in the Secret structure makes 
that clearer.

> I'd probably add a section to the spec regarding client-compatibility
> containing information like that (which is basically what the browser
> feature is about - apart from the extra objectpath alias).
Great :).
-- 
Regards,
Guillaume Martres - https://launchpad.net/~smarter


More information about the Authentication mailing list