10.21.13 Engineering Progress Report for Firefox Accounts and Sync.next
lhilaiel at mozilla.com
Wed Nov 6 03:57:32 PST 2013
On Nov 6, 2013, at 12:36 AM, Chris Karlof <ckarlof at mozilla.com> wrote:
>> 4. This seems like a nice isolated & well defined bit of work we could ||ize?
> It's possible. Key stretching isn't the only thing. We also need to land code to handle SRP natively as well. Plus there's testing and measuring it. After we implement, test, and measure, it still may not be fast enough, and we'll have to do more work. Too much risk for this insane schedule. Jed and Co. don't have a complete working system yet. If someone magically has time (that shouldn't' be working on more pressing things) to land and measure a native PBKDF2 and SRP implementation, then I welcome the help. But there's no guarantee that Jed and Co will have time to integrate it.
> Did I mention the car is still apart on the garage floor? Let's support Jed and Co. to put the car back together and get it running, and then we can pimp it out.
This sounds pragmatic and right on. I’m fine with launching with raw_password if you guys are.
So that’s the short term solution, let’s do it.
Longer term though: We defined a security architecture optimized for sync originally in picl-idp. We’ve now learned that the scope of picl-idp is greatly expanded, and we must support firefoxos and web based authentication. To do so we are reverting to raw_password.
Does it make sense here to keep an open mid to the possibility that an authentication protocol of reduced complexity that we can implement at pace everywhere might be superior to the original architecture, all things considered?
I like SRP and scrypt, but our sec. arch is only as strong as the weakest link. It may turn out that a simple PBKDF2 approach with partial stretching in limited environments is both simpler, and more secure.
What data do we require to understand what a viable authentication protocol would be for our lowest common denominators? (IE8 and FirefoxOS). How hard is it to acquire that data?
> Here's some discussion of the /raw_password API. It actually isn't that bad, in particular, it's future compatible with native implementations of key stretching and SRP:
>> : http://people.mozilla.org/~lhilaiel/pbkdf2/
>> : https://bugzilla.mozilla.org/show_bug.cgi?id=915312
>> : https://bugzilla.mozilla.org/show_bug.cgi?id=922887
>> : https://github.com/lloyd/mehmeh
>>>> Dev-fxacct mailing list
>>>> Dev-fxacct at mozilla.org
>>> Dev-fxacct mailing list
>>> Dev-fxacct at mozilla.org
>> Dev-fxacct mailing list
>> Dev-fxacct at mozilla.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dev-fxacct