[Authentication] Proposal for a common secrets handling in web browsers
Guillaume Martres
smarter3 at gmail.com
Wed Jul 15 11:13:40 PDT 2009
Hi,
Le mercredi 15 juillet 2009 19:39:07, Stef Walter a écrit :
> Guillaume Martres wrote:
> > As an Arora[0] developer I am very interested in this project, as it will
> > allow us to have cross-desktop password handling. Since this project is
> > still at an early stage, I'd like to take the chance to standardize the
> > way "secrets" will be stored by web browsers. In this post I'll almost
> > only speak of forms handling since that's the most important part but the
> > goal is to cover every "secret" a browser may have.
> > - General stuff:
> > * Add a "network" collection. KWallet already does that and this seems a
> > good idea to keep things together and not clutter the default collection.
> > It would be available using
> > org.freedesktop.Secrets.Service.NetworkCollection
>
> Not sure I understand what you mean by this. Could you elaborate
> further? Obviously an application has the choice to make/use any
> collection it desires.
The goal is that browsers share their secrets, so that you can switch browsers
and still have access to all your secrets.
> > - Forms handling:
> > * Use the attribute "URL" to indicate the page where the form lies.
> > * Store every field content in a different item, as a secret. The label
> > of the item will be the name of the field. If an item with the same label
> > already exists, overwrite it.
>
> May I suggest that these be marshalled into a single value?
Yes, Michael's post convinced me that it was a better idea to have a one-to-
one mapping between forms and items.
> > * Use the encryption algorithm "plain" for every secret, except if it is
> > a password field secret. In this case, use whatever encryption the
> > specification recommends.
>
> If you don't need the non-password field so to be encrypted you could
> store them (with a prefix possibly) directly as attributes on the item.
Isn't that a misuse of the API? It'll also add work on the client side to find
out which attributes are form fields and which aren't. Storing everything in
the Secret(something like Dict<String,String>) seems better.
--
Regards,
Guillaume Martres - https://launchpad.net/~smarter
More information about the Authentication
mailing list