ubuntu-phone team mailing list archive
-
ubuntu-phone team
-
Mailing list archive
-
Message #01199
Re: [Development] Solution for a password/secret storage
On 19/03/13 10:01, Alberto Mardegan wrote:
> On 03/19/2013 11:54 AM, Bruno Girin wrote:
>> OK so how does GNOME Keyring do it? My understanding is that with GNOME
>> Keyring, the default keyring is the "login" keyring that is unlocked
>> when users enter their login credentials, which is why you don't have to
>> unlock it again during a session. Presumably it means that the "login"
>> keyring is protected by the user's password?
> Yes. In fact, it's possible to make the two passwords go out of sync,
> and there you'll be prompted to enter your keyring master password as
> the first application requests a password.
OK so it's essential that whatever we do ensures that doesn't happen.
Users will have no idea what their "keyring master password" is.
>
>> Which also brings the question: with the freedesktop API, how do you
>> change the password for a given collection? Do you have to re-encrypt
>> all the data in that collection using the new password?
> The API does not cover this:
> http://standards.freedesktop.org/secret-service/ch10.html
>
> In fact, most clients should not be interested in this; they should just
> care about whether the secrets DB is locked or unlocked, that's all.
Unless you have a client that handles its own specific collection with
its own specific password. I'm thinking of apps like the password safe I
have on my phone where it makes sense to ask for a password every time
you start it.
So maybe doing this in a reliable way could be a sensible extension to
the API?
Bruno
Follow ups
References