bugzilla.mozilla.org will be intermittently unavailable on Saturday, March 24th, from 16:00 until 20:00 UTC.

SecReview: openbadges backpack



Security Assurance: Review Request
5 years ago
5 years ago


(Reporter: jp, Assigned: mgoodwin)


(Depends on: 1 bug)


(Whiteboard: [completed secreview][Web], URL)



5 years ago
Who is/are the point of contact(s) for this review?
-DevOps - JP Schneider (johns@mozillafoundation.org, 312-970-9080)
-Manager - Chris McAvoy (chris@mozillafoundation.org)
-Lead Dev - Brian Brennan (brian@mozillafoundation.org)

Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):
-The OpenBadges backpack allows users to manage & share badges they receive on sites across the web.

Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:

Does this request block another bug? If so, please indicate the bug number
-May be a blocker for Chicago city openbadges launch

This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
-Launching this as a possible part of the mid-march Chicago openbadges push

To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal?
-Openbadges DML Launch

Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?
-This uses Persona, but does not affect it.

Are there any portions of the project that interact with 3rd party services?
-New Relic, AWS
-The OpenBadges Backpack is primarily a service that lets users pull information (badges) from 3rd parties (issuers). There is also an in-progress feature for 3rd parties to request an access token from the user's backpack to allow push access to a user's backpack. The token system is modeled after OAuth2.

Will your application/service collect user data? If so, please describe
-Yes, the purpose of the service is to help a user aggregate & manage their badges from across the web and the badges themselves *may* contain PII. For more information on what data the badges contain, see https://github.com/mozilla/openbadges/wiki/New-Assertion-Specification

Desired Date of review:
ASAP, since launch is in ~2 weeks
Group: mozilla-confidential
Whiteboard: [pending secreview] → [pending secreview][triage needed]
Assignee: nobody → mgoodwin
Whiteboard: [pending secreview][triage needed] → [pending secreview]

Comment 2

5 years ago
Prod software is on openbadges.mofoprod.net
Depends on: 850755
Depends on: 851297
Depends on: 851483

Comment 3

5 years ago
Hi Simon, Can you please cc me on 851297?
Flags: needinfo?(sbennetts)
Done :)
Flags: needinfo?(sbennetts)
Whiteboard: [pending secreview] → [pending secreview][Web]

Comment 5

5 years ago
Having spoken to Simon, I think we're all done here. Please let us know if significant changes are made here.
Last Resolved: 5 years ago
Resolution: --- → FIXED
Whiteboard: [pending secreview][Web] → [completed secreview][Web]
You need to log in before you can comment on or make changes to this bug.