Re: secret strings

[Ted Zlatanov]

On Fri, 01 Apr 2011 23:38:20 +0900 "Stephen J. Turnbull" <address@hidden> 
wrote: 

SJT> Ted Zlatanov writes:
>> I'm not proposing a security model; the user protection is only
>> that there's a smaller chance an attacker would see the secret
>> strings in a memory image of the Emacs process.

SJT> My point is, if you have no security model, why bother?

SJT> It is very unlikely that an attack on Emacs memory would reveal
SJT> "secret strings".  If somebody cares about that small chance, they're
SJT> either kidding themselves, or they have a security model that will
SJT> tell them to *ignore* the autowiping GC, and wipe themselves.

OK.  I'll buy that.  So how, then, does the the producer, the
auth-source API, encourage consumers to wipe their secrets?  Should it
set a timer (for a duration specified by the consumer) after which the
secret gets wiped and 'wiped is returned instead?  How can Emacs Lisp
and maybe the new lexbind features help make this as seamless as
possible for the consumer?

On Fri, 01 Apr 2011 10:59:20 -0400 Stefan Monnier <address@hidden> wrote: 

>> I don't think that's the same thing.  We want to pass the
>> producer-generated data around and wipe it when the garbage collection
>> deallocates the memory.  But maybe I misunderstand something.

SM> I don't think that's what you want: work done by finalizers should never
SM> be significant (e.g. it's a bad idea to use finalizers to close
SM> file-handles, or to wipe sensitive data).  If you want to wipe that
SM> data, then do it explicitly with `clear-string', since the GC might
SM> never collect it.

OK, I understand.  See my question above.

Ted