Date: Thu, 30 May 2013 12:22:09 -0700 From: Xin Li <delphij@delphij.net> To: George Liaskos <geo.liaskos@gmail.com> Cc: Kris Moore <kris@pcbsd.org>, freebsd-chromium@freebsd.org, d@delphij.net, phajdan.jr@chromium.org Subject: Re: using API keys in the FreeBSD Chromium port Message-ID: <51A7A6E1.3000104@delphij.net> In-Reply-To: <CANcjpOA0ojn3FewS-gWCC_o=Cv9M3Tk9Op6u=n5bYS_p4b7Lqg@mail.gmail.com> References: <51A5F67F.3010706@freebsd.org> <51A6EFE3.7030306@delphij.net> <CANcjpOA0ojn3FewS-gWCC_o=Cv9M3Tk9Op6u=n5bYS_p4b7Lqg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 05/30/13 11:46, George Liaskos wrote: >> >> What's the purpose of these keys? E.g. are they used to encrypt >> sensitive information, or are they used to identify that "this >> user is running this client, unchanged"? >> > > From what i understand, the key should be unique per "derivative". > It's used to identify the client, like User Agent one could say but > with a quota on API calls. > > In this sense the "Official" Chromium port on FreeBSD should have a > unique key. > > https://groups.google.com/a/chromium.org/forum/?fromgroups#!topic/chromium-dev/Qks4W0xLxqc Ah, > ok so this is for identifying the client. I personally don't think this would work though. In order to do this, I think the only way would be: - Don't ship the port with a key. Instead, require the builder (currently everyone who runs FreeBSD) to acquire one for themselves. When the key is not present, don't build the features that requires an API key. - On FreeBSD package building cluster (as well as PC-BSD ones), deploy the "official" key and make binaries there. I don't see how this would even work as expected, though: the key is embedded in the binary and thus anyone who can run the binary and have debugging tools would be able to extract it. This situation is totally different from normal OAuth scenario, where API key is deployed on servers and protected from being accessed by average users, and the API provider can easily block misbehaving client when the key is "stolen". Cheers, - -- Xin LI <delphij@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJRp6bhAAoJEG80Jeu8UPuzQusH/2ZmNiv70gPN3U/mioK+O827 lTvIo1ljPQudNwco+EcXxHinJmKYj36dKxtmU4ByJQmpCazBRRufzc0Zc6dZd2FX v5cwc6QQH9o0gAFafZS1nPxREoBoBQNmxtyutxjseeEqs+e0zbxix4RQJorZXNgE I2VyOwiVyxeCaeooa83h/0ll0AkQYn9ny/lDJUoph3rq1nGgX8esIO4XdVORXFPJ mHeixoI+aRtZ963p4T9ljEnJ4yP+nVqIcpsdL8nHQOdiPuNnNdc79AE4d7RhAaaF LQ3wdj9tRsA3cgmUGe37jkT3VuGEhIi6jci+W1k2uyiecqy4Qfs2lNdj+MOcOPA= =OYyE -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51A7A6E1.3000104>