Re: cleaning up keyrings


On 8/28/07, Stef Walter <stef-list memberwebs com> wrote:
> >  - have some mechanism for "smart deductions," like "I can guess you
> > have an XMPP account that matches your username/password" -
> > maybe this just has to be in the apps, not sure
> Along with what Alan said, pushing this too far down the stack opens up
> many possibilities for password retrieval attacks, like the recent spate
> of attacks that exploited this in Firefox and Safari.

I think you guys may understand this backward from what I meant. I am
saying if you logged in to google (or Flickr, or whatever) in the
browser, then your desktop apps could get at that login info. I'm not
saying that the browser could get stuff from the desktop - JavaScript
remains sandboxed as usual. (Though as long as somethingis tagged with
a domain, and the domain is exact-matched, that might be fine too I
would think. But of course it would have to be very carefully defined
what the "domain" field means and who sets it.)

The functionality I'm after is the same thing we already have for, where if you are logged in to the web site, then the
desktop can use the same cookie to sign on to the XMPP server.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]