gnome-keyring Passwords freely available after login

[Karl <karl1982 gmail com>]

I realize this is an ongoing and well-worn topic, but I want to weigh in since I've been a frequent Ubuntu user for some time now.  I have a problem with the way Gnome keyring handles passwords.  I understand the philosophy that a user shouldn't feel more secure than they really are, and I agree up to the point where security is sacrificed for idealism.  If your car has separate door and ignition keys, you don't leave the ignition key hanging from the hood ornament simply because no one can open the door if you always remember to lock it.  The one time you forget, someone drives off with your car.

What I would like to see is simple, although I realize its implementation is likely not.  The user should be prompted for his password when accessing the keyring, locked or otherwise.  I'm not concerned about the keyring being stolen when my laptop is locked.  The keyring is encrypted, and so is my home folder.  My concern is the one time I forget to lock my laptop when I step away for ten minutes and someone has complete unhindered access to anything that may be stored in the keyring.  This shouldn't be against the philosophy of Gnome keyring since it actually does add some measure of security to cover accidents.  If I forget to lock my laptop, it's far less likely my passwords will be viewed if they aren't readily available.  Reducing the likelihood my secrets will be stolen is an increase in security, even if you might consider it to be a small gain.  Maybe I work around people who aren't capable of breaking into the keyring, but are nosy enough to open it if it's unlocked.  In that case, the most likely scenario for the keyring to be compromised will be prevented.

The burden of protecting a user's sensitive data is a responsibility shared by both the user and the system.  The system does the user a disservice by making no effort to protect this keyring after login.  Right now I'm annoyed by the fact that Empathy won't let me log in to anything without saving the password in the keyring, which I feel obligated to remove afterward because, in my opinion, it isn't secure.  There has to be an acceptable way to handle this, and not handling it because it was originally "by design" doesn't justify being blatantly insecure.  It's a nice idea, but ultimately, it decreases the security of the system.

At the very least, Gnome keyring should have an option to let me choose this behavior.  It should be my option to choose whether I would like that one ounce of added security, even if it may feel like two.  Those who don't want it don't have to have it.