Closed
Bug 728381
Opened 12 years ago
Closed 11 years ago
Security review for Vinz Clortho the BrowserID IdP Server for Mozilla.com
Categories
(mozilla.org :: Security Assurance: Review Request, task, P4)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 867489
People
(Reporter: ozten, Assigned: ygjb)
References
Details
(Whiteboard: [qa-][pending secreview][pending stage][score:14::Low])
# A quick intro to what this app does. Overview: This is a new, stand-alone server which complements the current Intranet. Re-using a user's LDAP credentials, it implements the BrowserID Primary protocol for IdPs. It provides crypto certificates to guarentee the identity of mozilla.com email and email aliases. # Where is the source code located? Source: TBD. Built on existing eyedee.me primary server in https://github.com/lloyd/eyedee.me but at a new repo. # Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on. Pending # Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs. Mozilla Services/Server: Identity # Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS. Server binds to LDAP as user. # Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role. App is deeply connected to authentication. Test LDAP accounts may be needed. # What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.) Any website on the web which uses BrowserID will talk to this service for people claiming to own a mozilla.com account. * Impersonating a mozilla.com employee * Identity theft * Probably more bad suff # Does this website contain an administration page? If so, have the admin page blockers (listed here) all been addressed? No admin page. # This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? Would need to start architecture review soon. We're shooting for end of Q1 launch.
Reporter | ||
Comment 1•12 years ago
|
||
Initial design is at https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=18350197
Updated•12 years ago
|
Whiteboard: [qa-]
Reporter | ||
Comment 2•12 years ago
|
||
Proposed codebase, including README https://github.com/ozten/vinz-clortho/blob/master/README.md
Updated•12 years ago
|
Keywords: sec-review-needed
Whiteboard: [qa-] → [qa-][pending secreview]
Assignee | ||
Updated•12 years ago
|
Whiteboard: [qa-][pending secreview] → [qa-][pending secreview][secr:yvan]
Updated•12 years ago
|
QA Contact: mcoates → jstevensen
Updated•12 years ago
|
Component: Security Assurance: Operations → Security Assurance: Review Needed
Updated•12 years ago
|
Assignee: security-assurance → yboily
Status: NEW → ASSIGNED
Reporter | ||
Updated•12 years ago
|
Summary: Security review for BrowserID IdP Server for Mozilla.com → Security review for Vinz Clortho the BrowserID IdP Server for Mozilla.com
Updated•12 years ago
|
Keywords: sec-review-needed
Whiteboard: [qa-][pending secreview][secr:yvan] → [qa-][pending secreview]
Reporter | ||
Comment 3•12 years ago
|
||
This project has been inching forward. Status update: QA has started initial testing against our IT hosted development server. Test Plan details: https://etherpad.mozilla.org/identity-vinz-clortho-test-plan Due to LDAP and IdP delegation, testing is a bit wacky, please read test case 1 closely... Code Repo: https://github.com/mozilla/vinz-clortho Stage: still being deployed
Updated•12 years ago
|
Whiteboard: [qa-][pending secreview] → [qa-][pending secreview][pending stage]
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings Priority: 2 (P4) - Team Quarterly Goal Operational: 1 - Minor User: 3 - Major Privacy: 3 - Major Engineering: 1 - Minor Reputational: 1 - Minor Priority Score: 14
Severity: normal → major
Priority: -- → P4
Whiteboard: [qa-][pending secreview][pending stage] → [qa-][pending secreview][pending stage][score:14::Low]
Reporter | ||
Comment 5•11 years ago
|
||
We should have a stage environment in the next 2 weeks.
this project is hot hot hot. I'm going to open a new bug, follow ozten's template, and lay out all the current details. starting now.
Comment 7•11 years ago
|
||
moved to https://bugzilla.mozilla.org/show_bug.cgi?id=867489
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
:lloyd
^[bad comment submit] :lloyd - I'm completly confused as to why you made a new bug rather than continue working in this bug and to why a newer bug would be a duplicate of an older bug?
Comment 10•11 years ago
|
||
:curtisk because this project has been completely "rebooted". More than 1/2 of the original description no longer applies. I wanted to open a new bug to eliminate irrelevant information and make the communication and review more efficient and meaningful. I couldn't think of a better way to do it.
You need to log in
before you can comment on or make changes to this bug.
Description
•