Nelson B Bolyard wrote:
On 2009-10-14 01:33 PDT, Neil wrote:
Nelson Bolyard wrote:
I'll add these thoughts. I don't know of any way to "log in" to a
token that has no password. IINM, such a token just "comes up" in a
state that is similar to being already logged in. It's not surprising
to me that forcefully logging it out leaves it in a state where it
cannot log in again without being restarted. Maybe the solution is to
make it so that it cannot be logged out, since it is not truly logged
in. That could be done in NSS or in PSM or in the browser outside of
PSM (I think).
That might be possible if there was some easy way of determining whether
there is a master password (without prompting the user for such
password). This method would not need to leave the user logged in if they
had previously been logged in with a password.
... would NOT need to leave the user logged in? really?
Anyway, NSS certainly offers a function that answers the question of
whether the user has a master password or not, without logging the user
out if he is logged in (IINM). I do not know if PSM makes that available
to its users as some sort of method on some sort of object.
http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsPK11TokenDB.cpp#429
Says if there is need for a password when logging in.
By the way, I REALLY REALLY wish that the password manager would use that
when you click the button to reveal the passwords, instead of doing what
it does now, which forces you to re-enter the master password, even if
you've JUST entered it.
Isn't it just the protection? How should the software recognize that in
10 seconds after I entered the master password there is not another
person that tries to see all my passwords?
-hb-
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
