Closed Bug 868467 Opened 11 years ago Closed 10 years ago

Review : firefoxos.persona.org

Categories

(Security Assurance :: General, task)

Product:
Security Assurance
Component:
General
Type:
task
Priority:
Not set
Severity:
blocker

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gene, Unassigned)

References

Details

(Whiteboard: [triage needed]) 

Related Bug 863417

We would like to do the following :
* Establish a new DNS CNAME of firefoxos.persona.org
* Either obtain a new certificate for firefoxos.persona.org OR modify the existing EV multisan certificate for login.persona.org to also include firefoxos.persona.org
* Point this CNAME to a developer controlled AWS instance and load this SSL private key onto that dev controlled AWS instance
* On 5/22 
** Point the CNAME away from the dev AWS instance to our production persona installation
** issue a new cert for firefoxos.persona.org and load it on our production persona installation
** revoke the old cert which had it's private key on the dev instance

This is to bridge a gap in time between now when firefox os phones need to talk to persona, and 5/22 when the firefoxos friendly persona code goes into production

Is this solution acceptable from a security standpoint? Is my assumption that it's possible to issue a new cert for the same name and revoke the old one correct?

If this is acceptable I'll need to obtain the certificate today. I apologize about the short timeline, I only found out about this this morning.
See Also: → 868474
See Also: → 863417
Severity: normal → blocker
:Joes - do we want to take this as an emergency issue or have this wait for triage next Wed?
Flags: needinfo?(jstevensen)
OS: Linux → All
Hardware: x86_64 → All
Whiteboard: [triage needed]
(In reply to Curtis Koenig [:curtisk] from comment #1)
> :Joes - do we want to take this as an emergency issue or have this wait for
> triage next Wed?

Please consider this an emergency issue :)   We are trying to provide a fix for a blocker bug that needs to be testable as soon as possible.

The issue is explained here: https://bugzilla.mozilla.org/show_bug.cgi?id=863417#c23

Many thanks to everyone, and sorry about the fire drill.
I think we're conflating two things.

First thing - We need to buy a new cert that includes firefoxos.persona.org.  This should start as soon as possible because it's the long pole.

Second thing is a deeper review of the long term firefoxos support plan.

Can we start on acquiring the updated SSL cert and make it's use in any way pending your further review of this issue?
Go ahead and get the SSL cert to get started. We'll need to review your plan though. The timing for this will be a bit tough as we have a work week next week.
Flags: needinfo?(jstevensen)
(In reply to Joe Stevensen [:joes] from comment #4)
> Go ahead and get the SSL cert to get started. We'll need to review your plan
> though. The timing for this will be a bit tough as we have a work week next
> week.

Thank you, Joe.  As it happens, our work week is next week, too.  We doubly appreciate your help, as it intrudes upon your team's time together.
IS this work still happening? Can this bug be closed?
This must have been done.  Gene, do you know if we still need this open?
Flags: needinfo?(gene)
I can confirm that the name is now a SAN in the prod cert. I doesn't look like the dev instance still exists. I don't remember if we ended up with a temporary cert for the dev instance or if we put the prod cert on the dev instance. The cert expires May 27. I'll say yes, we can close this.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(gene)
Resolution: --- → FIXED
Component: Operations Security (OpSec): General → General
Product: mozilla.org → Enterprise Information Security
You need to log in before you can comment on or make changes to this bug.