Re: cleaning up keyrings

From: Alexander Larsson <alexl redhat com>
To: Havoc Pennington <hp redhat com>
Cc: desktop-devel-list gnome org
Subject: Re: cleaning up keyrings
Date: Thu, 30 Aug 2007 09:24:57 +0200

On Wed, 2007-08-29 at 17:04 -0400, Havoc Pennington wrote:
> Hi,
> 
> I wrote down the "schemas" for the current information stored by
> various apps. Here those are, essentially 5 kinds of object:
> 
> Firefox/Epiphany/etc. Browser Web Site Login
>    Domain (exact domain:port we logged in to)

Please use another name, like host or something. Domain is so overloaded
in the keyring domain (like windows domains, etc).

> GNOME Keyring Schema for File Shares (NETWORK_PASSWORD)
>    Username
>    Hostname
>    Port
>    Windows Domain
>    Protocol (http, sftp, etc.)
>    Object (i.e. random metadata string depending on type)
>    Password (secret)

There is also authtype for dav.

> Observations:
> 
> 1) stuffing the other four into the gnome-keyring NETWORK_PASSWORD
> type is just wrong. NETWORK_PASSWORD makes no sense except for file
> shares. I think the Gossip patch trying to use it is wrong and the
> NetworkManager usage of it is wrong. They should use GENERIC_SECRET
> and have their own sensible field names. (By using NETWORK_PASSWORD,
> people are doing the equivalent of picking an existing, unrelated
> database table for their new data, and if they have an integer they
> pick some random column in the existing table that happens to be an
> integer, and put their integer in there... even if it meant something
> totally different before)

Agreed.

> 2)  There's a confusing thing about gnome-keyring, which is that it
> stores metadata like account name, but *it stores one item per secret,
> not one per account or whatever* - i.e. the metadata is just a way to
> look up the secret. gnome-keyring can be abused to store the metadata,
> but that isn't really the point of it. Really gnome-keyring is only
> intended to be the canonical store for the password, and you'd have
> some other storage for the account details.

Yeah, it really is a password/secret store. Not a general application database.

> c) use gnome-keyring only for the *secrets*. i.e. say you query the IM
> accounts API, you would *separately* query gnome-keyring for the IM
> password (if you needed it). We still need docs for gnome-keyring that
> simply list the field names you can use to look up each secret.

I agree. 

There is another possible usecase for gnome-keyring too. Take the
firefox remember-input-fields hack. Instead of storing that in
clear-text or hacking it into gnome-keyring directly (which might not
fit well), just generate a random key and store that in the keyring,
then when you save the input-fields, encode it with the key (perhaps
just using xor or something simple). This is an easy way to make things
like firefox more secure, while not forcing it to totally restructure
the way it stores stuff.

References:
- cleaning up keyrings
  - From: Havoc Pennington
- Re: cleaning up keyrings
  - From: Havoc Pennington

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]