From kde-core-devel Thu Sep 04 10:52:37 2003 From: Rob Kaper Date: Thu, 04 Sep 2003 10:52:37 +0000 To: kde-core-devel Subject: Re: KWallet integration X-MARC-Message: https://marc.info/?l=kde-core-devel&m=106267298307986 MIME-Version: 1 Content-Type: multipart/mixed; boundary="--LTeJQqWS0MN7I/qa" --LTeJQqWS0MN7I/qa Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 04, 2003 at 12:11:13PM +0200, Martijn Klingens wrote: > If root doesn't have the key it is always capable to retrieve it in a sys= tem=20 > that's in use. Encryption only helps against systems that are not and can= not=20 > be trojaned. True, but that's no argument not to encrypt, or not to secure. Applications like Atlantik, Konqueror and Kopete are trusted only because we *know* what security procedures are in place and judge them to be sufficient. If the KWallet API would allow for creditcard data to be given to any of these applications just because I unlocked my IM passwords, then I would not consider KWallet trusted for the purpose of storing sensitive data such as creditcards. If however it would require keyboard sniffing or binary modifications on my system to get that data, my assessment of the security offered will be quite different. I think it's important that we decide whether KWallet in 3.2 will just be a convenient way to store passwords, or whether it includes a security model. I don't care either way, but I do want to know what exactly it will offer so I can make a proper decision what to use it for and know what to tell others about it. Rob --=20 Rob Kaper | "They that can give up essential liberty to obtain a little cap@capsi.com | temporary safety deserve neither liberty nor safety." www.capsi.com | - Benjamin Franklin, Historical Review of Pennsylvania, 1759 --LTeJQqWS0MN7I/qa Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/Vxl0tppIl2G1SjcRAv5EAJ9XhZaESj5V+MXNM9ppHINz92Z8HwCgqbtE vqeF2e6YQdmbTR7fJh4cMcU= =LtT/ -----END PGP SIGNATURE----- --LTeJQqWS0MN7I/qa--