Re: gnome-keyring enhancement proposal

From: Erik Grinaker <erikg wired-networks net>
To: Alexander Larsson <alexl redhat com>
Cc: "desktop-devel-list gnome org" <desktop-devel-list gnome org>
Subject: Re: gnome-keyring enhancement proposal
Date: Tue, 13 Apr 2004 15:45:40 +0200

On Tue, 2004-04-13 at 14:39, Alexander Larsson wrote:
> On Mon, 2004-04-12 at 20:26, Erik Grinaker wrote:
> > Hi
> > 
> > I'm the developer of Revelation, a password manager for GNOME 2. Lately
> > I've been getting alot of requests for integration with gnome-keyring,
> > which is natural as the two systems basically aim for the same thing (a
> > central store for account information). Revelation is available here:
> > 
> > http://oss.wired-networks.net/revelation/
> > 
> > Integrating Revelation with gnome-keyring can't really be done in a nice
> > way, the best would probably be to have functionality for importing from
> > / exporting to gnome-keyring. But I think that what most people would
> > like is a mix of gnome-keyring and Revelation; a system where they could
> > easily manage their passwords, and also have applications use these
> > passwords automagically. To accomplish this, I feel that there needs to
> > be a few enhancements in gnome-keyring.
> > 
> > These proposals have not been fully thought through, but could be a
> > starting-point for further discussion (some of are inspired by comments
> > on FootNotes). If gnome-keyring could be a complete replacement for
> > Revelation, I would be very interested in working on it instead of
> > Revelation.
> > 
> > 
> > 1. Ability to store accounts in a tree-structure, so they are easier to
> > organize. Revelation does this by letting you create "folders" which
> > accounts can be put in. This is very useful when one has a large number
> > of accounts.
> 
> gnome-keyring isn't really meant to be user-visible like that. Its all
> about automatically remembering passwords as needed inside other
> programs. Having just a tree with information in it doesn't match the
> key-value query style database that gnome-keyring uses, and the typical
> data in gnome-keyring is not structured in such a way as to work well in
> password/information display like revelation.
> 
> > 2. Having various account types, with a set of fields for each (should
> > be extensible through XML schemas or something, so users or other apps
> > can add new account types).
> 
> Apps can store whatever type of passwords it wants in gnome-keyring. The
> key-value pairs used for key-lookup have no special limits. If we want
> specific types of secrets appart from passwords and general secrets the
> API allows that by extending GnomeKeyringItemType.

Fair enough. This could be done through a layer on top of gnome-keyring
which maps accounts to nodes in the tree etc. But this is probably not
something you would want in the gnome-keyring frontend, so I guess I'll
put this into Revelation or something...


> > 3. Management of keys and certificates, for example ssh keys or
> > gpg/pgp/smime stuff.
> 
> I'm also interested in this. I haven't thought much about it though.
> 
> > 4. Ability to run programs as other local users (starting a terminal as
> > root, for example).
> 
> This isn't really related to gnome-keyring as such. Its just an
> encrypted store for secrets that apps can integrate with as they see
> fit.

True, this is more of a fluffy "this-would-be-kinda-cool" thing. But if
you run a program as root, gnome-keyring should be able to remember the
root password so that it's not necessary to re-enter it to run a
different program as root. This is perhaps possible already, as it's
just another secret which can be stored in gnome-keyring.


>> 5. Transparent encryption/decryption of files, possibly through a
>> checkbox in the file selector or something...
>
> This would be nice and I've thought about it before, but more in the
> context of gnome-vfs. (Encryption fits well with chained uri-methods.)
>
> However, I'm not sure how this relates to gnome-keyring.

Yes, this is more related to gnome-vfs than gnome-keyring. But say you
use a public key to encrypt files when saving, and a
symmetrically-encrypted private key when opening, it would be cool to
have gnome-keyring remember the password for the private key so that
it's not necessary to re-enter it all the time. Also, with signing files
or encrypting for a different recipient, it would need a system for
selecting the proper key etc.

Again, another fluffy idea which would be cool.


Also, is it possible to have some sort of notification mechanism in
gnome-keyring, for changes to the keyrings? Like when an account is
added/removed/updated etc... I haven't had a close look at gnome-keyring
yet, but if they're implemented as gobjects it should be possible to
handle with the signal system (?).


-- 
Erik Grinaker <erikg wired-networks net>
http://erikg.wired-networks.net/

"We act as though comfort and luxury were the chief requirements of
life, when all that we need to make us happy is something to be
enthusiastic about."
                                                      -- Albert Einstein

Follow-Ups:
- Re: gnome-keyring enhancement proposal
  - From: Sean Middleditch

References:
- gnome-keyring enhancement proposal
  - From: Erik Grinaker
- Re: gnome-keyring enhancement proposal
  - From: Alexander Larsson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]