Closed
Bug 756431
Opened 12 years ago
Closed 8 years ago
Security Review for Profile feature of Mozilla Persona/BrowserID
Categories
(mozilla.org :: Security Assurance: Review Request, task, P3)
mozilla.org
Security Assurance: Review Request
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: stomlinson, Assigned: ygjb)
References
()
Details
(Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][score:36::Medium])
1. Who is/are the point of contact(s) for this review? stomlinson secondary: francois, benadida, lloyd in #identity 2. Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.): Persona makes it easy for users to sign in to sites, but it does nothing to simplify user signup to a site. Users visiting a new site are frequently asked for basic profile information - information they have been asked for repeatedly. 3rd party systems like Facebook Connect or OAuth simplify this by giving profile information to RPs, but they suffer from an "all or none" approach. By adding a profile service to Persona, we aim to provide RPs with a mechanism to get the information they need but still keep users in control of which data they provide. 3. Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description: https://wiki.mozilla.org/Identity/Profile/Proposal https://github.com/mozilla/browserid/issues/880 4. Does this request block another bug? If so, please indicate the bug number No 5. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? We would like to release an initial implementation of the profile feature when Persona goes to Beta - at this point this is scheduled for the end of July. There will be no server side component for the initial release. We would like to know if a security review of the client side component is needed. 6. Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.) 6.1 Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users? Yes - this affects Mozilla Persona. 6.2 Are there any portions of the project that interact with 3rd party services? Yes - Persona interacts with 3rd parties that rely on Persona as their authentication mechanism. 6.3 Will your application/service collect user data? If so, please describe Profile data collected as part of the service will be given to RPs after user consent. This data will initially include the user's name and an avatar photo. Profile data will be given to 3rd parties who request the data after the user's consent. 7. If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size): Initial revisions of this feature will be client side only - all data will be stored in localStorage. A server side component will be introduced in future phases. Since no code other than exploratory proof of concept code has been written, any review in the short term would be architectural only. Subsequent revisions of this feature will include a server sync component. Security reviews of the server side architecture as well as the interactions between client, server, and 3rd parties will be needed. 8. Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite. 05/28 or 05/29 Shane Tomlinson Ben Adida Francois Marier Lloyd Hilaiel Brian Warner
Updated•12 years ago
|
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: [pending secreview][triage needed 2012.05.23]
Will schedule a session for 5/29
Assignee: nobody → yboily
Whiteboard: [pending secreview][triage needed 2012.05.23] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd]
Review Sched for 5/29 (5/28 is a holiday in USA) https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html?view=month&action=view&invId=182099-182098&pstat=AC&instStartTime=1338310800000&instDuration=3600000
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings Priority: 3 (P3) - Overall Mozilla Quarterly Goal Operational: 0 - N/A User: 0 - N/A Privacy: 3 - Major Engineering: 3 - Major Reputational: 3 - Major Priority Score: 36
Severity: normal → major
Priority: -- → P3
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][score:36::Medium]
Comment 4•8 years ago
|
||
The persona service will be decommissioned later this year, so I'm closing out persona-related bugs
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•