Closed
Bug 736573
Opened 12 years ago
Closed 12 years ago
Encrypt in-app payment secrets with HSM
Categories
(addons.mozilla.org Graveyard :: Developer Pages, defect, P1)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: kumar, Unassigned)
References
Details
For an app to talk securely to the marketplace it needs to encrypt all requests with its secret (provided on sign-up in bug 703093) Instead of storing the secrets directly in the database we can store an encrypted secret in the database using an HSM key. This will come in two parts: - when a secret is generated on the management pages, encrypt/decrypt - when an app makes a payment request, decrypt its secret to verify the request
Reporter | ||
Updated•12 years ago
|
Priority: -- → P1
Reporter | ||
Comment 1•12 years ago
|
||
As part of this development, existing secrets should be disabled. That is, the app develops will need to regenerate them.
Reporter | ||
Comment 2•12 years ago
|
||
we are currently discussing whether or not it's ok to encrypt / decrypt with a key on disk rather than using the HSM.
Reporter | ||
Comment 3•12 years ago
|
||
given the threat model around in-app payment secrets we decided that using the HSM is not necessary. Encrypt/decrypt moved to bug 742751
Reporter | ||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
Assignee | ||
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•