10.21.13 Engineering Progress Report for Firefox Accounts and Sync.next

Lloyd Hilaiel lhilaiel at mozilla.com
Tue Nov 5 01:04:34 PST 2013


On Oct 25, 2013, at 4:07 AM, Lloyd Hilaiel <lloyd at mozilla.com> wrote:

> On Oct 25, 2013, at 3:22 AM, Ryan Kelly <rfkelly at mozilla.com> wrote:
> 
>> On 25/10/2013 11:03 AM, Zachary Carter wrote:
>>> I'll write a patch. With the new raw_password endpoints on the FxA
>>> server, a HAWK client with a key derivation helper is sufficient to get
>>> the FTU flow working on FxOS for 1.3.
>> 
>> Wait, do we plan to keep these raw_password endpoints and ship something
>> on top of them?  I thought they were squarely in "temporary hack" territory.
> 
> At the risk of speaking with too little context, I'd love to see a `minimally_stretched` endpoint instead.  .5s of PBKDF2 on ZTE open in javascript perhaps gives us a middle ground between raw password on the wire and an acceptable stopgap.

Hmmm.  PBKDF2-SHA256 250k rounds on my ZTE open in pure javascript [1] takes about 47s.

It seems like we’re doing some work to expose native key stretching on android [2].

It also seems like we’re going to need to do some stretching on firefox OS in the short term OR send raw passwords over the wire.  (from various environments - including web content if we stick with our plan of implementing certain less prevalent flows in content for the 1.3 timeframe).

Searching around in mozilla central I see various implementations of PBKDF2, in various places, implemented by various people I know and like.

Further, I see a bug open for this that hasn’t got any details in it yet [3].

Finally, a standalone focused PBKDF2-SHA256 is purdy simple [4].

Questions:
1. do folks agree this would be on the dependency list for fxos 1.3?
2. is it worth implementing this natively once and using it on all of our UAs?
3. is there already work in progress that I’m not aware of?
4. This seems like a nice isolated & well defined bit of work we could ||ize?

<3,
lloyd

[1]: http://people.mozilla.org/~lhilaiel/pbkdf2/
[2]: https://bugzilla.mozilla.org/show_bug.cgi?id=915312
[3]: https://bugzilla.mozilla.org/show_bug.cgi?id=922887
[4]: https://github.com/lloyd/mehmeh


> lloyd
> 
>> 
>> Ryan
>> 
>> _______________________________________________
>> Dev-fxacct mailing list
>> Dev-fxacct at mozilla.org
>> https://mail.mozilla.org/listinfo/dev-fxacct
> 
> _______________________________________________
> Dev-fxacct mailing list
> Dev-fxacct at mozilla.org
> https://mail.mozilla.org/listinfo/dev-fxacct




More information about the Dev-fxacct mailing list