idupree / chromium-libapps Goto Github PK

When you generate a key, or import one, does the identity select menu switch to the new key? Is that selection switched when you close and re-open the app? is it saved when you connect and then disconnect? is it saved per-connection, or globally? (I'm somewhat unclear on existing behavior; there may be no bug here at all.)

• key name
• RSA bits; maybe option for other algorithms
• passphrase (ideally with pkcs8 encryption, though that's not as simple with Forge)

Should this be a...

• dialog-within-a-dialog (if that's even possible)?
• A separate page like Options is?
• A few text fields that appear in the row of "Generate..." when you click on "Generate...", plus a "Generate!" button that appears so you can actually start generation?

• you can press generate while generating (js and css wise [underline, pointer:cursor,])
• does the async generation actually work safely with closing the dialog box first (e.g. connecting to a server)? If not, should closing the dialog box be prevented, or keygen be interrupted when the dialog is closed?
• is it possible/preferable to run the keygen in something like a Web Worker instead of forge's method of generating a key as a series of small steps? That might help with being able to use another ssh keygen implementation, if wanted (ssh-keygen from openssh would be nice to match the connect implementation)
• might it be cool to set the "..." while generating keys to rotate the google colors, one color for each dot, every fraction of a second while generating is going on?

Will people want to download it too?

I think copy is probably fine for now.

Also, pedantically, when you click to copy, "Selection copied" pops up, which should maybe be "Pubkey copied" or "[name of pubkey] copied", but the message is only there for a split second anyway.

Right now, key generation deletes your current key with that name. It should either be prevented or have an extra confirmation dialog if that happens. I'd err towards preventing it and telling you how you can delete the old key if you really want to.

It's generally fine:

• BSD3 license is fine
• it uses Web Crypto APIs for the most serious crypto part (the library is mainly needed to do a lot of formatting the keys into the correct text formats)
• if there are any timing attacks against keygen due to the JS part, they seem unlikely to be a large risk for a human generating a single key.

But, adding a library -- at all, and especially to do a crypto thing -- is still questionable.

The most 'obvious' alternative is to use OpenSSH ssh-keygen (Don't know yet whether that is easy or hard. Would also need to make sure it's sufficiently interruptible.)