Closed Bug 1153422 (nsec-verify) Opened 6 years ago Closed 4 years ago

[META] Tracking bug for Verifying Signatures implementation of New Security Model

Categories

(Firefox OS Graveyard :: General, defect, P1)

x86
macOS
defect

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: jgong, Unassigned)

References

Details

(Whiteboard: [newsecurity])

User Story

This is a V3 initiative for a New Security Model.  https://wiki.mozilla.org/FirefoxOS/New_security_model

This Meta Bug is for tracking the "Verifying signatures" implementation, a sub-component of the bigger New Security Model project. https://wiki.mozilla.org/FirefoxOS/New_security_model#Verifying_signatures.

********
Verify Signatures 

To load a webpage in a signed package, the user navigates to a URL like "https://website.com/RSSReader2000/package.pak!//index.html". The part before the "!//" is the URL to the package itself. The part after the "!//" is the resource path inside the package.

So loading signed content does not require an installation to happen. Simply navigating to a URL like the above is enough.

When the user navigates to such a page, Gecko will download the package from the webserver. Gecko will then see in the header of the package that the package is signed.

Before serving any resources from the package to the rest of Gecko, the network layer will first wait for the signatures to be loaded from the package. It will also verify that the resource that is currently being loaded is covered by, and matches, the signature.
This is a V3 initiative for a New Security Model.  https://wiki.mozilla.org/FirefoxOS/New_security_model

This Meta Bug is for tracking the "Verifying signatures" implementation, a sub-component of the bigger New Security Model project. https://wiki.mozilla.org/FirefoxOS/New_security_model#Verifying_signatures
User Story: (updated)
Summary: [META] Tracking bug for Signing implementation of New Security Model → [META] Tracking bug for "Verifying Signatures" implementation of New Security Model
Depends on: nsec-csp
User Story: (updated)
No longer depends on: nsec-signing
Depends on: nsec-signing
Summary: [META] Tracking bug for "Verifying Signatures" implementation of New Security Model → [META] Tracking bug for Verifying Signatures implementation of New Security Model
Depends on: nsec-isolation
Depends on: nsec-installing
Depends on: nsec-sw
Depends on: nsec-origins
Blocks: nsec
No longer depends on: nsec-signing
Depends on: nsec-signing
Blocks: nsec-signing
No longer depends on: nsec-signing
Blocks: nsec-origins
No longer depends on: nsec-origins
No longer blocks: nsec-signing, nsec-origins
Blocks: nsec-signing
No longer depends on: nsec-signing
No longer depends on: nsec-isolation
Blocks: nsec-sw
No longer depends on: nsec-sw
Blocks: nsec-csp
No longer depends on: nsec-csp
No longer depends on: nsec-installing
Blocks: nsec-csp
No longer depends on: nsec-csp
Blocks: 1153449
Whiteboard: [NewSecurity] → [newsecurity]
Priority: -- → P1
Depends on: 1185439
Depends on: 1188717
blocking-b2g: --- → 2.5+
Depends on: 1214079
Component: Security → General
Product: Firefox → Firefox OS
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.