Breakout keysigning into seperate process like browserid #7

ozten opened this Issue Apr 24, 2012 · 11 comments


None yet
2 participants

ozten commented Apr 24, 2012

via email from @benadida

Split bin/bigtent code into two components: one that does almost everything except keysigning, and the other that does keysigning. As in the typical BrowserID code, the keysigning functionality should be proxied from the first component to the other. This is so we have a layer of defense in case attackers penetrate the top-level machine, they don't have access to the keysigning functionality.

I recommend we do this in much the same way we BrowserID splitting. In fact, Lloyd's figured out so much of the details of proxying properly that we really should reuse his code as is, maybe even turn it into a reusable.

lloyd was assigned May 10, 2012


ozten commented May 10, 2012

Assigning to lloyd, as he expressed interest.

Our code freeze date is 5/20 and this will take me 3-4 days, so let me know if I should take this one.

You can see how I tackled this in

Probably you'll have a much easier time with the codez.



lloyd commented May 21, 2012

I got sick and was supposed to have helped on this by now. Am I too late if I spend a timeboxed couple hours in the next 24?


ozten commented May 21, 2012

No, you'll be more efficient than me, go for it.


ozten commented May 24, 2012

Please take Issue #28 into account.


lloyd commented May 26, 2012

I've begun work on this:

It's a functional keysigner at this point. I'll clean up documentation and the initial implementation work on integration here.

hows this look?


ozten commented May 29, 2012

This is awesome. I'll comment on commits in that repo.


ozten commented May 29, 2012

Do you have a branch of bigtent which uses keysigner?


lloyd commented May 29, 2012

no! not yet. I will make this one of my goals for tomorrow. I have a tiny handful of issues open before I can attack this


lloyd commented May 29, 2012


ozten commented Jun 5, 2012

@lloyd has landed the new service.

I've integrated it in the 'certifier' BT branch.

Will merge after code cleanup and other patches land to avoid conflicts.


ozten commented Jun 6, 2012

I've merged the new certifier code.

The next time you update BigTent....

You must deploy a certifier locally.
You must update your config with hostname and port of the certifier.
The certifier must be running before starting up bigtent.

See updated docs in both BigTent and Certifier

/cc @callahad @fetep

ozten closed this Jun 6, 2012

@shane-tomlinson shane-tomlinson added a commit that referenced this issue Oct 20, 2015

@shane-tomlinson shane-tomlinson Merge pull request #7 from mozilla/1208480-disable-redirect-prod
Bug 1208480 - disable directory redirects when serving static content.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment