[Authentication] Open Issue: Transient Collections

[Michael Leupold]

Stef Walter wrote:

> Michael Leupold wrote:
>> Stef Walter schrieb:
>>> One thing we haven't covered in the spec is collections that only live
>>> for the user's current desktop login session.
>>>
>>> In gnome-keyring we have a 'session' keyring which does this. Do we want
>>> to have something like this in the secrets API? Among other things, it
>>> seems like it would be useful for browsers to create temporary
>>> collections.
>> 
>> We currently don't have such a feature directly in KWallet but we do
>> have KPasswdServer which caches authentication information for some time
>> (actually not the whole session but less). What are session keyrings
>> used for in GNOME?
> 
> Two reasons:
> 
>  * Sharing: Multiple applications can share a secret in the
>    gnome-keyring 'session' keyring even though it won't be
>    permanently stored.
>  * Simplicity: So that GNOME apps can use the same code path for
>    both storing secrets long term and short term.
> 
> Also, I can imagine browsers using transient collections for things like
> 'incognito/private' mode, etc...
> 
> Do you think they'd be useful in KDE, perhaps used as a backend for
> KPasswdServer?

Yeah, it sounds great for that purpose actually :-)

Actually the only thing that's different from how KPasswdServer currently 
stores passwords is the items' lifetimes. But I guess it's enough to keep 
that out of the spec and let it be handled by a separate daemon which just 
removes the secrets when they expire.

Answering to the second mail in one go:
I think a lifetime till logout/suspend/hibernate is alright. The details 
should be up to the daemon (and could even be configurable).

I think we could allow several transient collections at the same time, 
however we should have one predefined default transient collection similar 
to what keyring has (probably with a different name as we already have 
"sessions").

Regards,
Michael