Hi Ehsan, Formal discussions have not started yet, but I have been taking notes on threads like this. I'm happy to include you in the meetings as we move to formalize the ideas into actions.
Thanks, Adam ----- Original Message ----- From: "Ehsan Akhgari" <[email protected]> To: "Adam Rogers" <[email protected]> Cc: "Alive" <[email protected]>, "dev-webapi" <[email protected]>, [email protected], "dev-gaia" <[email protected]>, "Paul Theriault" <[email protected]> Sent: Friday, December 6, 2013 12:49:11 PM Subject: Re: [b2g] Proposal: PasswordManager on FxOS Thanks for the note, Adam. Where is the discussion about this happening (assuming that it has started yet)? Thanks! Ehsan On 12/5/2013, 7:41 PM, Adam Rogers wrote: > > All, I have added Password Manager functionality to the feature backlog for > Firefox Accounts. While there are clearly many questions to answer, this is > something that we are interested in perusing. At this point, due to a > significant number of unknowns, there is no target release specified for > these features. > > Thanks, > > Adam > > > ----- Original Message ----- > From: "Ehsan Akhgari" <[email protected]> > To: "Alive" <[email protected]>, "dev-webapi" <[email protected]>, > [email protected], "dev-gaia" <[email protected]> > Cc: "Paul Theriault" <[email protected]> > Sent: Thursday, December 5, 2013 6:28:30 PM > Subject: Re: [b2g] Proposal: PasswordManager on FxOS > > On 12/5/2013, 3:20 AM, Alive wrote: >> Hi folks, >> >> I'd like to have a password manager inside our operating system to store and >> manage passwords you'd typed in the FxOS. >> >> This is an old item in my mind beyond FxOS v1.0 when I sadly found our phone >> crashed when we visited mozilla phonebook. >> (It had been fixed long time ago so we support HTTP authentication well now.) >> >> Again, think about this case: >> EVERY time you visit https://phonebook.mozilla.org/, you need to retype the >> password :) >> Other than the case, there're tons of pages on the web having a password >> field. >> >> Today I discussed with Paul, from security team, and be glad to know he also >> loves this idea. >> And what's not good is, it sounds like we are still far away from the >> password manager. >> >> 1A. We need a stronger password for lock code. It'd be used for the key for >> all your passwords. (from Paul) >> 1B. We need to change the way storing lock code. No settings. >> 2. We need some way to encrypt. > > Can we use the existing encryption facility that we use when a master > password is set? > >> 3A. We need to store the password somewhere safely. >> 3B. We need API to store the password. This API shall be only used by gaia >> system app IMHO? > > Do we need to allow other applications to access this safe password > store? I think the answer is no, and if that's the case, I'm not > convinced that we need to design a general purpose API here. > >> Item (1A) Is a pure gaia work but some of my concern now are: >> * Need UX (Hello UX ww!) >> * We'd love to have a standalone lockscreen app, >> and I wonder a standalone app would break the security, though this is >> not in our case. >> Item (2) and (3) I'm afraid I need gecko-er's chime in here. >> >> The password storing on desktop browser is noticed by the world due to >> Chrome browser just put the plain password and you could easily see it in >> the setting. > > We do the same, except that we let people encrypt their passwords DB > using a master password, and we prompt for that when you try to access > your password. I find this very fragile, and I'm not sure if we want to > repeat this in Firefox OS. We should be able to solve this problem by > 1) not exposing plaintext passwords anywhere in the UI, and 2) > encrypting them with a master password. I'm not sure what the UX for > entering that password would look like. > > Another thing to note is that we probably don't want to expose the > password DB in the child process. All requests to access and/or modify > this DB should be forwarded to the parent process. > > Cheers, > Ehsan > _______________________________________________ > dev-b2g mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-b2g > _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
