Both the autograph service and the pkcs7 library should go through a security audit / code review to make sure it handles key material securely.
Assigning to Greg for first pass in Q3. Will likely hire a 3rd party for a more in-depth review of the Go code of autograph, pkcs7 and hawk packages.
Assignee: jvehent → gguthe
I haven't reviewed much go or crypto. Are there specific attacks I should look for about handling key material securely?
it's not so much the crypto I'm concerned about. Autograph implements access controls that grant users permissions request signatures using specific keys. That access control is what, if broken, could put the entire service at risk.
Recommendations in the github issue: https://github.com/mozilla-services/foxsec/issues/359 and will open issues against the autograph repo.
Status: NEW → RESOLVED
Last Resolved: 7 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.