We'd like to re-use the existing marketplace HSMs for APK factory signing. In this case we'll extend the existing trunion instance to include the new functionality. This means we don't need to get new HSM for this service. There are currently two HSMs in the Marketplace one for stage and one for production. Likewise we'd re-use those HSMs for APK Factory stage and production. This bug is just to get sign off from kang, if it's cool we should be able to close it, if not it might get more complication.
Using the same HSMs in their current state means that we're sharing the keys infrastructure between Marketplace and APK factory. This means that APK factory will potentially be able to sign Marketpace apps and vice-versa. As this goes against the principles of separation of products, I would like to make sure that concerned parties agree with the additional risk before procedding (the concerned party may be you ;). Note: While full separation (different HSMs, etc.) is obviously better from the risk point of view, I understand the need for something easier and cheaper to service, such as a secure API for similar crypto operations. However, we have nothing of the sort available right now.
One of the issues is the long lead time it takes to get a HSM in place.
Security's latest recommendation is that we create a separate, isolated APK signing service. We do not need an HSM and we do not need to re-use the existing HSM
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.