HaikuBook: document Key/KeyStore API

[nielx]

This currently is undocumented.

See:

• ​https://git.haiku-os.org/haiku/tree/docs/user/app/Key.dox
• ​https://git.haiku-os.org/haiku/tree/docs/user/app/KeyStore.dox

References:

• ​https://www.haiku-os.org/blog/mmlr/2011-12-23_api_design_hard_finding_bugs_can_be_made_easy/
• ​https://git.haiku-os.org/haiku/tree/src/apps/haikudepot/model/Model.cpp#n807
• ​https://git.haiku-os.org/haiku/tree/src/bin/keystore
• ​https://git.haiku-os.org/haiku/tree/src/servers/keystore

[waddlesplash]

The Keystore doesn't encrypt its contents, so I'm not sure we should be advertising it so widely without fixing that...

[nielx]

We could make the decision to actively document this decision, like: "Warning: the KeyStore system does not currently encrypt passwords and other data. If you application needs a higher level of security, you will need to use other methods to securely store password and other data."

We could also choose to explicitly warn people against using the API.

The third option is to leave it undocumented.

I am leaning for the first one here.

[pulkomandy]

Rather than telling people to use other methods, I would rather tell them to wait until this is implemented, or help fixing it (we don't want app to come up with their own things here, there's a good reason we want to provide an API for this). But yes, not documenting this is the worst thing to do.

It can't be that hard to add a password request and encryption system to the keystore, right?

[nielx]

Putting it back as a goal for R1 beta 2.

It should indeed be made clear that the password is not encrypted, and the convenience is in the API and not in security.

[nielx]

Proposed patch on ​https://review.haiku-os.org/c/haiku/+/2319

[nielx]

Included as hrev53971

[nielx]

Assign tickets with status=closed and resolution=fixed within the R1/beta2 development window to the R1/beta2 Milestone