Closed
Bug 532884
Opened 15 years ago
Closed 15 years ago
Do not store the client's private key raw on the server --> proposed a new means of allowing clients to share / establish a connection
Categories
(Firefox :: Sync, enhancement)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: db.pub.mail, Unassigned)
Details
(Whiteboard: [WeaveTestday])
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Build Identifier: firefox 3.5.5, 1.0b2
Weave is a great idea. However, at the present the private key is on both the server and the client. I think that weave should focus on providing alternative login (openid....where did that go ?....) and not *touch* passwords.
Without further tests and assurances, there is the possibility of sending passwords to the server etc. (weave is still in development...).
The above, is without a proper view (i do not code / know javascript) of the actual weave code.
Reproducible: Always
Actually, it could be done like this
CLIENT --------SERVER ------------OTHER CLIENT
PRIVATE key(1) PUBLIC KEY PRIVATE KEY(2)
Initially we have a client Alice. Then another client (bob) who has valid credentials comes along like shown.
The server stores data from the Bob separately at least initially. Bob sends a copy of its new PUBLIC key to the server AND a copy of his private key encrypted using ALICE's public key.
Then when Alice comes back, the server will say that a client has connected (state the clients name and time of connection etc.). It will ask Alice if she wants to authenticate Bob. If the user says yes --> Then the client will receive the encrypted private of bob and decrypt it. Then Alice can encrypt her private key using Bob's public key and send that to the server.
There should be a fingerprint provided /emailed / other so that both Alice and Bob can confirm that the others public key is correct.
Summary: remove password syncing from weave proper and provide it through another syncing means. → Do not store the client's private key raw on the server --> proposed a new means of allowing clients to share / establish a connection
Updated•15 years ago
|
Whiteboard: [WeaveTestday]
Comment 2•15 years ago
|
||
Except Alice and Bob are the same people, and you're asking for a much more complicated sync setup. The secret phrase encrypts the private key, and is not transmitted.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → WONTFIX
Assignee | ||
Updated•6 years ago
|
Component: Firefox Sync: Crypto → Sync
Product: Cloud Services → Firefox
You need to log in
before you can comment on or make changes to this bug.
Description
•