Re: cleaning up keyrings



Hi,

> Even though the keyring is locked, it seems like the application that set
> the secret should be able to retrieve it.  I don't know how you want to make
> sure it's the same calling application, there might be some tricks in that.
> But this would reduce the number of login / access the keyring dialogs.
So, at some point a password has to be asked for, because that
password is used to unencrypt the data.  In theory only one password
should need to be asked for though, the password (or smart card PIN
code) you type when you login.  That's the whole single sign on dream,
and what pam_gnomekeyring is trying to tackle.

> Perhaps my vision of the keyring is more of a secure little area where
> applications can save data that's reliable and encrypted and I have the
> master password to; however if an application wants to save some random
> secret bits in the keyring that only it will retrieve later I find it pretty
> harmless.  Is that a false assumption?
If the data is encrypted then the application won't be able to get to
the data until it's unencrypted, which means asking for a password.

Are you asking for an unencrypted area that only one application has
read access to?  If so, you might be able to do something like that
with SELinux (or AppArmor?), but I don't think it would be a very
robust solution.

--Ray



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]