Breakout keysigning into seperate process like browserid #7

Closed
ozten opened this Issue Apr 24, 2012 · 11 comments

Comments

Projects
None yet
2 participants
Member

ozten commented Apr 24, 2012

via email from @benadida

Split bin/bigtent code into two components: one that does almost everything except keysigning, and the other that does keysigning. As in the typical BrowserID code, the keysigning functionality should be proxied from the first component to the other. This is so we have a layer of defense in case attackers penetrate the top-level machine, they don't have access to the keysigning functionality.

I recommend we do this in much the same way we BrowserID splitting. In fact, Lloyd's figured out so much of the details of proxying properly that we really should reuse his code as is, maybe even turn it into a reusable.

lloyd was assigned May 10, 2012

Member

ozten commented May 10, 2012

Assigning to lloyd, as he expressed interest.

Our code freeze date is 5/20 and this will take me 3-4 days, so let me know if I should take this one.

You can see how I tackled this in
https://github.com/mozilla/vinz-clortho/tree/wsapi

Probably you'll have a much easier time with the codez.

Thanks!

Contributor

lloyd commented May 21, 2012

I got sick and was supposed to have helped on this by now. Am I too late if I spend a timeboxed couple hours in the next 24?

Member

ozten commented May 21, 2012

No, you'll be more efficient than me, go for it.

Member

ozten commented May 24, 2012

Please take Issue #28 into account.

Contributor

lloyd commented May 26, 2012

I've begun work on this: https://github.com/lloyd/browserid-keysigner

It's a functional keysigner at this point. I'll clean up documentation and the initial implementation work on integration here.

hows this look?

Member

ozten commented May 29, 2012

This is awesome. I'll comment on commits in that repo.

Member

ozten commented May 29, 2012

Do you have a branch of bigtent which uses keysigner?

Contributor

lloyd commented May 29, 2012

no! not yet. I will make this one of my goals for tomorrow. I have a tiny handful of issues open before I can attack this

Contributor

lloyd commented May 29, 2012

Member

ozten commented Jun 5, 2012

@lloyd has landed the new service.

I've integrated it in the 'certifier' BT branch.

Will merge after code cleanup and other patches land to avoid conflicts.

Member

ozten commented Jun 6, 2012

I've merged the new certifier code.

The next time you update BigTent....

You must deploy a certifier locally.
You must update your config with hostname and port of the certifier.
The certifier must be running before starting up bigtent.

See updated docs in both BigTent and Certifier

/cc @callahad @fetep

ozten closed this Jun 6, 2012

@shane-tomlinson shane-tomlinson added a commit that referenced this issue Oct 20, 2015

@shane-tomlinson shane-tomlinson Merge pull request #7 from mozilla/1208480-disable-redirect-prod
Bug 1208480 - disable directory redirects when serving static content.
29e0212
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment