[Authentication] Proposal for a common secrets handling in web browsers
Stef Walter
stef-list at memberwebs.com
Wed Jul 15 10:39:07 PDT 2009
Guillaume Martres wrote:
> As an Arora[0] developer I am very interested in this project, as it will
> allow us to have cross-desktop password handling. Since this project is still
> at an early stage, I'd like to take the chance to standardize the way
> "secrets" will be stored by web browsers. In this post I'll almost only speak
> of forms handling since that's the most important part but the goal is to
> cover every "secret" a browser may have.
> - General stuff:
> * Add a "network" collection. KWallet already does that and this seems a good
> idea to keep things together and not clutter the default collection. It would
> be available using org.freedesktop.Secrets.Service.NetworkCollection
Not sure I understand what you mean by this. Could you elaborate
further? Obviously an application has the choice to make/use any
collection it desires.
> - Forms handling:
> * Use the attribute "URL" to indicate the page where the form lies.
> * Store every field content in a different item, as a secret. The label of the
> item will be the name of the field. If an item with the same label already
> exists, overwrite it.
May I suggest that these be marshalled into a single value?
> * Use the encryption algorithm "plain" for every secret, except if it is a
> password field secret. In this case, use whatever encryption the specification
> recommends.
If you don't need the non-password field so to be encrypted you could
store them (with a prefix possibly) directly as attributes on the item.
Cheers,
Stef
More information about the Authentication
mailing list