[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Master passphrase approach, authn storage, cobwebs in C-Mike's head, ...

From: Thomas Åkesson <thomas_at_akesson.cc>
Date: Mon, 16 Apr 2012 18:33:28 +0200

On 16 apr 2012, at 16:43, C. Michael Pilato wrote:

> On 04/15/2012 03:45 PM, Thomas Åkesson wrote:
>>> You are correct. Today we have DSO options for GNOME/KDE, and simple
>>> #if-wrapping for Win32 and MacOS. GPG Agent doesn't have the
>>> lib/heavy deps, as the code communicates with the agent not through a
>>> custom API, but directly via socket I/O.
>>>
>>> Not sure what you're envisioning when you say "a new callback".
>>
>> Just want to make sure you are aware of the initiative "Secret Service
>> API" unifying Gnome and KDE. The spec is still a draft but it seems that
>> both implement it.
>>
>> http://standards.freedesktop.org/secret-service/
>
> I was not aware of the initiative, but am happy to learn of it. The sheer
> amount of software replicated between the KDE/Gnome divide is just embarrassing.
>
>> How would the hypothetical existence of such a secret storage on Windows
>> impact this Subversion initiative?
>
> If there was a single,
> common-and-commonly-available-across-all-supported-OSes way to do this
> stuff, that'd be fantastic. But Windows isn't the problem area today, so
> I'm not sure that adding yet another way to do secrets on Windows would
> matter much.

Ok, sorry. I reread the wiki articles and the thread from late March. I gather, the problem areas are unmaintainable code and OSes where no encrypted storage is available/installed.

>
> The Secret Service thing would allow us to continue offloading
> responsibility for encryption to third-parties as we do today, though at the
> continued cost of a hybrid storage model (where half of the details we need
> to know to authenticate are cached in ~/.subversion, the other half live
> elsewhere). As such it doesn't allow us to easily pick up and relocate an
> encrypted store to another machine -- but I don't know how interesting that
> feature is to anyone.

Personally, the feature to manually move/copy the encrypted store is definitely useful, but I do consider some other features of the Desktop-integrated storage APIs significantly more value-adding (I mostly use OSX Keychain):

 - Unlocking the encrypted storage on login. (would still work, via master passphrase in Keychain/KWallet/Keyring)
 - Not a separate passphrase. Changing password for the OS user account manages the re-encryption.
 - Automated password storage replication. OS X with MobileMe (subscription) _had_ this feature. It is sorely missed in iCloud and I am not alone in hoping for its return.
 - Relatively intuitive UI to manage cached credentials, including retrieving forgotten ones.

I am afraid OS X users might consider moving away from Keychain a bit of a regression (can't speak for Gnome/KDE users).

Cheers,
/Thomas Å.
Received on 2012-04-16 18:34:02 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.