[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Master passphrase approach, authn storage, cobwebs in C-Mike's head, ...

From: Thomas Åkesson <thomas_at_akesson.cc>
Date: Tue, 17 Apr 2012 03:53:58 +0200

On 16 apr 2012, at 20:05, "C. Michael Pilato" <cmpilato_at_collab.net> wrote:

> On 04/16/2012 12:33 PM, Thomas Åkesson wrote:
>> Personally, the feature to manually move/copy the encrypted store is definitely useful, but I do consider some other features of the Desktop-integrated storage APIs significantly more value-adding (I mostly use OSX Keychain):
>>
>> - Unlocking the encrypted storage on login. (would still work, via master passphrase in Keychain/KWallet/Keyring)
>> - Not a separate passphrase. Changing password for the OS user account manages the re-encryption.
>> - Automated password storage replication. OS X with MobileMe (subscription) _had_ this feature. It is sorely missed in iCloud and I am not alone in hoping for its return.
>> - Relatively intuitive UI to manage cached credentials, including retrieving forgotten ones.
>>
>> I am afraid OS X users might consider moving away from Keychain a bit of a regression (can't speak for Gnome/KDE users).
>
> Yeah, I hear you about the OS X user point of view. At this point, I'm
> fairly convinced that for Windows and OS X, the use-master-password feature
> will be less frequently used. (It will be off by default on all OSes.)

AFAIK, both Kwallet and Gnome Keyring require a graphical desktop and to a large extent lack command line tools. Is that kind of the core problem here?

I would like to see a non-graphical implementation of the Secret Service API with a solid CLI. That would merit a project in itself, separate from Subversion (e.g. Apache Keywhatever). It seems like Dbus can be used either with a daemon or more light-weight with just libdbus. Are there any OS with pressing need for Subversion password storage that does not have libdbus?

Alternatively, if there is a determination to implement encrypted storage within the Subversion project, how about basing that "module" on the Secret Service API, with or without libdbus?
 - All Subversion's requests for secrets done with the same API, untangling the code.
 - Internally stored secrets are just returned by the module (non-graphical POSIX-systems and potentially Windows).
 - Secrets stored in Gnome Keyring/Kwallet are requested using their Secret Service implementation, which is simply relaying the API calls.
 - Keychain is wrapped by the module. Not sure how difficult it is to map Keychain and the Secret Service API, but it would be a bit surprising if it turns out to be impossible.
Received on 2012-04-17 03:54:33 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.