[Authentication] project ideas

[Ben Kibbey]

Hello,

I have been working on a server (pwmd) for a little while that does
something similar to the Secrets Service but uses a different protocol
(Assuan from GnuPG and related projects) and can use but doesn't require
a master password to open the XML (encrypted) data file. An since it's
XML based anything can be put into it including configuration data.

I also have a library written to interact with pwmd along with a few
patches for some applications that I use (although none have been
included upstream). Anyway, since the Secrets Service will probably the
main method of storing sensitive data for the desktop environments (and
hopefully others environments too) there are a couple of features that
I'd like to see included so I can use it too (I don't use either of
GNOME or KDE do to system resources ATM).

One of the main reasons for writing pwmd was the use of the "target"
attribute in an XML element path. This lets the client share the same
data with another application although located somewhere else in the
document. Similar to XML entities and the HTML "target" attribute. So if
I have an application (Mutt MUA) that needs server configuration details
it requests an element by a configured element path then pwmd returns
that elements content. With the use of the "target" attribute another
application (Exim MTA) that requires the same data as another (Mutt in
this case) can get the same data although located in another element.
The XML document looks like this:

	<root name="isp">
		<username>someuser</username>
		<password>somepassword</password>
	</root>
	<root name="exim" target="isp"/>
	<root name="fetchmail" target="isp"/>
	<root name="isync" target="isp"/>
	<root name="mutt" target="isp"/>

This way I only need to update the "isp" data for all applications that
use it. If there is a way to have the Secrets Service do this that would
be cool.

It would be cool to see gconfd (not sure what KDE uses for configuration
management) and the Secrets Service merged into the same server.  Maybe
a flag in a configuration data that requires the client to authenticate
before retrieving it.

A way to connect to the DBus server as another user. pwmd uses a local
socket that any user can connect to. Since it's a unix domain socket,
file permission (ACL) and SO_PEERCRED based access work fine. I'm
thinking about Exim support in the example above.

Also require as few dependencies as possible. Nothing GUI related since
this may bloat non-GUI related apps.

Just some ideas. I hope the Secrets Service can use some of them.  You
can find pwmd at http://bjk.sourceforge.net/pwmd/.

-- 
Ben Kibbey (bjk) @ FreeNode/OFTC