Re: cleaning up keyrings

From: "Havoc Pennington" <hp redhat com>
To: stef memberwebs com
Cc: desktop-devel-list gnome org
Subject: Re: cleaning up keyrings
Date: Tue, 28 Aug 2007 18:48:58 -0400

Hi,

On 8/28/07, Stef Walter <stef-list memberwebs com> wrote:
> >  - have some mechanism for "smart deductions," like "I can guess you
> > have an XMPP account that matches your google.com username/password" -
> > maybe this just has to be in the apps, not sure
>
> Along with what Alan said, pushing this too far down the stack opens up
> many possibilities for password retrieval attacks, like the recent spate
> of attacks that exploited this in Firefox and Safari.
>

I think you guys may understand this backward from what I meant. I am
saying if you logged in to google (or Flickr, or whatever) in the
browser, then your desktop apps could get at that login info. I'm not
saying that the browser could get stuff from the desktop - JavaScript
remains sandboxed as usual. (Though as long as somethingis tagged with
a domain, and the domain is exact-matched, that might be fine too I
would think. But of course it would have to be very carefully defined
what the "domain" field means and who sets it.)

The functionality I'm after is the same thing we already have for
online.gnome.org, where if you are logged in to the web site, then the
desktop can use the same cookie to sign on to the XMPP server.

Havoc

Follow-Ups:
- Re: cleaning up keyrings
  - From: David Zeuthen

References:
- cleaning up keyrings
  - From: Havoc Pennington
- Re: cleaning up keyrings
  - From: Stef Walter

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]