Re: cleaning up keyrings



>  - have some mechanism for "smart deductions," like "I can guess you
> have an XMPP account that matches your google.com username/password" -
> maybe this just has to be in the apps, not sure

This needs some care. There are evils that lurk on the web side of this.
One big one is that if a central service provides a guessed
login/password from another source to firefox, I can steal it using
javascript into a hidden form which might be bad if I can trigger wrong
guesses. For pure web use this problem doesn't normally arise as the URI
gives a scope which makes sense, once you take guesses from outside you
don't know enough to guess where to paste them.

> I just started thinking about this today, so let me know what's missing.

One of the things you can use the TPM for in a treacherous computing
system is simply as a poor quality smart card. And for that matter
working with a proper smart card is similar. Being able to share my
keyring simply by

	- USB
	- Bluetooth
	- Internet
	- Smart Card
	- TPM (where there is a common root key)

including merging entries from multiple sources. PAM already lets me
direct sensitive system authentication questions to a seperate trusted
display (my phone) which I can't currently do for the other apps.

Alan




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]