Re: cleaning up keyrings

From: David Zeuthen <david fubar dk>
To: Havoc Pennington <hp redhat com>
Cc: desktop-devel-list gnome org
Subject: Re: cleaning up keyrings
Date: Tue, 28 Aug 2007 18:31:51 -0400

Hi Havoc,

Cleaning up and making more apps use the keyring is definitely a
worthwhile effort in my mind.

On Tue, 2007-08-28 at 17:33 -0400, Havoc Pennington wrote:
>  - fix Firefox to use the keyring, or at least let apps query Firefox
> password manager storage
>  - have some mechanism for "smart deductions," like "I can guess you
> have an XMPP account that matches your google.com username/password" -
> maybe this just has to be in the apps, not sure

One important thing about the gnome-keyring prompts is that they display
information the user should be able to trust / understand. Things like
that App X is trying to use the key stored by App Y. [1]

AFAIK, to do this in a secure way, the prompts stem from a separate
process [2] and the code looks at the callers process id to determine
what application (on Linux via /proc/<pid>/exe) is making the requests
and then uses that name in prompts like these

 http://people.freedesktop.org/~david/gnome-keyring-allow-deny.png
 (actually this instance of the dialog, btw, looks pretty hostile to end
  users. Maybe I'm just not using gnome-keyring correctly from
  gnome-mount to save the LUKS pass phrase in the keyring. Shrug.)

The key here is that information you show in these prompts absolutely
needs to be trusted; you just cannot let the caller of the keyring API
pass in random junk; you cannot trust them.

So I wonder how this would work with Firefox. Ideally you want to
display 

 "The gmail.com website" 
 (and ideally also display some kind of icon whether the
  website in question is signed by a trusted third-party.)

instead of 

 "The application Firefox" 

As I see it, to do this the keyring prompts would need to trust the
Firefox process to get this information or you run the risk of
displaying wrong information to the user... Sounds like a pretty hard
problem to me.

Just some thoughts / ramble. Hope it's useful.

      David

[1] : In fact I'm skeptical that most users will do more than just click
through these prompts... if we didn't care about protecting secrets on a
per-application basis we would be just as well off with encrypted
homedir and just store secrets in plaintext. And then we wouldn't need a
keyring API at all.

[2] : Which is good as it means it's possible to

 1) Restrict access to the keyring database to a specific security
    context etc. that only the gnome-keyring programs run in; and

 2) In the future use of XACE to paint different window decorations to
    make the dialog look more "trusted" (doubtful approach to security
    but I thought I'd mention it anyway); and 

 3) Show the dialogs it on a different X server (e.g. the gdm greeter)
    possibly using a Secure Attention Key (ctrl+alt+del) to get there.

Follow-Ups:
- Re: cleaning up keyrings
  - From: Havoc Pennington
- Re: cleaning up keyrings
  - From: Bryan Clark
- Re: cleaning up keyrings
  - From: Stef Walter

References:
- cleaning up keyrings
  - From: Havoc Pennington

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]