<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">+Bob<br>
+Tony<br>
<br>
Note - I should probably note that I'm going to need time to
effectively end to end test this across the entire permissions
model, so take that into account in your schedule. Otherwise, we
could end up in a situation where the pieces are there, but
someone calls "no go" in a release decision due to not enough time
to complete client-side testing. So I need a clearer picture
around a freeze date that nothing gets touched client-side except
bug fixes that are stop ship level (which btw, is not the case
right now). And that date needs to happen <b>really</b> soon.<br>
<pre class="moz-signature" cols="72">Sincerely,
Jason Smith
Desktop QA Engineer
Mozilla Corporation
<a class="moz-txt-link-freetext" href="https://quality.mozilla.com">https://quality.mozilla.com</a></pre>
On 12/18/2012 11:39 PM, Ben Adida wrote:<br>
</div>
<blockquote cite="mid:50D144EE.4080502@mozilla.com" type="cite">
<br>
[Jonas, Lucas: you probably want to read this.]
<br>
<br>
Hi team,
<br>
<br>
I've been asked to help out on crypto for packaged apps given that
(a) Ryan Tilder is on vacation and (b) Brian Smith is on the
critical path for both client and server features related to
packaged apps.
<br>
<br>
After conversations with Brian, Caitlin, and Bill, here's my
proposal:
<br>
<br>
1) the exact workflow for signing packaged apps is orthogonal to
the rest of the system (reviewers approving apps, signatures being
verified, etc.) We already know that we can sign a packaged app,
load it on a device, and properly verify it. Rushing out our HSM
implementation seems unnecessary. So let's put the server HSM
component on hold for now until Ryan Tilder returns.
<br>
<br>
2) Brian Smith should focus on the critical task of ensuring that
reviewers can load yet-to-be-approved packaged apps on their
phones. Brian will also write a new batch of tests to ensure that
packaged apps can be signed by cert chains of reasonable length,
so that we have flexibility in finalizing the HSM workflow. In
other words: bsmith works on client, leaves server to others.
<br>
<br>
3) we determine ASAP when the root key needs to be locked in.
Assuming it's January 8th: what is our process for generating this
key in a trustworthy way in an HSM, backing it up, and locking it
in a vault? We need a clear runbook for this. Maybe Raymond and
Joe should take the lead on this, including testing the process on
a real HSM?
<br>
<br>
4) we take a moment to examine whether the HSM workflow we're
working towards can be improved. There are some key differences
between this flow and that of app receipts:
<br>
<br>
- only a few signatures a day
<br>
- delaying signatures by a few minutes is acceptable
<br>
- revocation of the root key is nearly impossible
<br>
<br>
This might indicate a different architecture. While our server HSM
implementation is on hold, let's discuss this architecture a bit
more!
<br>
<br>
Let me know what you think,
<br>
<br>
-Ben
<br>
_______________________________________________
<br>
Packagedapps mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Packagedapps@mozilla.org">Packagedapps@mozilla.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/packagedapps">https://mail.mozilla.org/listinfo/packagedapps</a>
<br>
</blockquote>
<br>
</body>
</html>