Re: Firefox? Re: Secret Storage API specification project
Ian G wrote: On 12/7/09 21:58, Anders Rundgren wrote: Nelson B Bolyard wrote: On 2009-07-12 05:51 PDT, Anders Rundgren wrote: This is an interesting project. What's not completely obvious is how this relates (or could relate) to for example Firefox. I must confess that I know absolutely nothing about NSS but I assume that the "soft-token" uses obfuscation and an *optional* password as the sole protection mechanism. Why would you assume such a silly thing? I'm not aware of any other methods for securing "soft" (file-based) secrets unless you go under the skin of the operating system. I think he means, the password and the encrypted store are next to each other on the disk, which reduces to obfuscation. Whereas, afaik, Firefox doesn't do that, it insists that the user enter a password in, so the decrypted stuff is in memory only. People who complain about that are completely right from a "perfect security" viewpoint, but are dead wrong from a "market security" viewpoint. The platform that people use is a computer as delivered according to that old IBM spec -- disk drive, memory, CPU. A tiny percentage know about things call trusted tokens, etc, but they are irrelevant to Mozilla's market. So, in this case, Mozilla's products are more or less where we want them to be: using a software encrypted store (with a stupid name) and having the user decrypt them when she starts it up. iang As I wrote in the initial posting, I know nothing about the inner workings of NSS. AFAICT, the mentioned Secret Storage project would be redundant if NSS already uses the operating system to protect secrets, particularly since NSS is said to be a part of Linux. Regarding passwords, by default Firefox does not require a password in order to use soft tokens. Anders still not enlightened -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Firefox? Re: Secret Storage API specification project
On 12/7/09 21:58, Anders Rundgren wrote: Nelson B Bolyard wrote: On 2009-07-12 05:51 PDT, Anders Rundgren wrote: This is an interesting project. What's not completely obvious is how this relates (or could relate) to for example Firefox. I must confess that I know absolutely nothing about NSS but I assume that the "soft-token" uses obfuscation and an *optional* password as the sole protection mechanism. Why would you assume such a silly thing? I'm not aware of any other methods for securing "soft" (file-based) secrets unless you go under the skin of the operating system. I think he means, the password and the encrypted store are next to each other on the disk, which reduces to obfuscation. Whereas, afaik, Firefox doesn't do that, it insists that the user enter a password in, so the decrypted stuff is in memory only. People who complain about that are completely right from a "perfect security" viewpoint, but are dead wrong from a "market security" viewpoint. The platform that people use is a computer as delivered according to that old IBM spec -- disk drive, memory, CPU. A tiny percentage know about things call trusted tokens, etc, but they are irrelevant to Mozilla's market. So, in this case, Mozilla's products are more or less where we want them to be: using a software encrypted store (with a stupid name) and having the user decrypt them when she starts it up. iang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Firefox? Re: Secret Storage API specification project
Nelson B Bolyard wrote: On 2009-07-12 05:51 PDT, Anders Rundgren wrote: This is an interesting project. What's not completely obvious is how this relates (or could relate) to for example Firefox. I must confess that I know absolutely nothing about NSS but I assume that the "soft-token" uses obfuscation and an *optional* password as the sole protection mechanism. Why would you assume such a silly thing? I'm not aware of any other methods for securing "soft" (file-based) secrets unless you go under the skin of the operating system. Please enlighten me! Anders -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Secret Storage API specification project
Michael Leupold wrote: > [3] http://www.freedesktop.org/wiki/Specifications/secret-storage-spec The specification here has some bits that somehow didn't make it through. As a temporary measure, I've uploaded the original (multi-page html) one here: http://www.gnome.org/~stefw/secrets/html/ And the spec DBus Introspection XML is here: http://www.gnome.org/~stefw/secrets/org.freedesktop.Secrets.xml Cheers, Stef -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Secret Storage API specification project
On Fri, Jul 10, 2009 at 7:04 AM, Michael Leupold wrote: > Hi, > > A while ago Stef Walter (GNOME Keyring) and me (KDE Wallet) started to draft a > common D-BUS API for secret information storage. It's meant to make Keyring- > and KWallet-like daemons available under a common D-BUS interface and thus > increase interoperability between GNOME, KDE and other applications having the > need to securely store passwords and other confidential information. Had a quick look through the API, looks pretty reasonable to me. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Firefox? Re: Secret Storage API specification project
On 2009-07-12 05:51 PDT, Anders Rundgren wrote: > This is an interesting project. > > What's not completely obvious is how this relates (or could relate) to > for example Firefox. > > I must confess that I know absolutely nothing about NSS but I assume > that the "soft-token" uses obfuscation and an *optional* password as > the sole protection mechanism. Why would you assume such a silly thing? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: [Authentication] Firefox? Re: Secret Storage API specification project
On Sunday 12 July 2009 14:51:43 Anders Rundgren wrote: > This is an interesting project. > > What's not completely obvious is how this relates (or could relate) to > for example Firefox. I CCed Mozilla developers because this project would enable them to use this daemon for storing their secrets in a secure manner as well (HTTP authentication, login form data, mail client passwords) - at least on platforms where a daemon implementing the spec is available. Another bonus is that - using a common storage scheme - the secrets would be available cross- browser and thus benefitting users who don't only use Konqueror, Ephiphany, Arora, FireFox, ... but switch between browsers. There are related user requests in both Mozilla's and KDE's bugtracker. Regards, Michael signature.asc Description: This is a digitally signed message part. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Firefox? Re: Secret Storage API specification project
This is an interesting project. What's not completely obvious is how this relates (or could relate) to for example Firefox. I must confess that I know absolutely nothing about NSS but I assume that the "soft-token" uses obfuscation and an *optional* password as the sole protection mechanism. Anders - Original Message - From: "Michael Leupold" Hi, A while ago Stef Walter (GNOME Keyring) and me (KDE Wallet) started to draft a common D-BUS API for secret information storage. It's meant to make Keyring- and KWallet-like daemons available under a common D-BUS interface and thus increase interoperability between GNOME, KDE and other applications having the need to securely store passwords and other confidential information. We just finished a first rough draft of the specification. For gaining widespread acceptance and use, we'd like to invite everyone interested to join the drafting process which will take place on our mailinglist [1]. This encompasses people working on similar systems/daemons as well as application developers interested in using such an API. The current draft is stored inside GNOME Keyring's git repository [2] and generated using gtk-doc to generate the API documentation. The current working draft is available inside the freedesktop.org wiki [3]. If there's a need for it we will move the spec to a repository where collaboration will be easier and move the generation to docbook2html. Please note that the current D-BUS interface name is preliminary and not settled upon. It will be decided once the new fd.o specification process has been finalized. To give everyone interested the chance to join the mailinglist beforehand, I'd like to start the discussions on Wednesday, 15th of July. Please forward this mail to members of your communities who might be interested in taking part in the drafting process. Regards, Michael Leupold [1] http://lists.freedesktop.org/mailman/listinfo/Authentication [2] http://git.gnome.org:80/cgit/gnome-keyring/?h=dbus-api [3] http://www.freedesktop.org/wiki/Specifications/secret-storage-spec -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
