CloudServices/Notifications/Bipostal: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
 
(15 intermediate revisions by one other user not shown)
Line 1: Line 1:
= Overview  =
<h1>Project is in Cold Storage</h1>


BrowserID Postal ('''BIPostal''') provides a semi-anonymous method for BrowerID consumers to safely communicate and control communcations with third parties (e.g. webapp providers).
<div style="color:red;border:1px solid red;padding:1em;margin:1em;background-color:#FEE;">This project was frozen on Apr. 03 2012. No further work is being done on this project at this time. </div>


== Engineers Involved  ==
<h1>ProjectName</h1>
=Overview=


jr conlin
BrowserID Postal ('''BIPostal''') provides a semi-anonymous method for BrowerID consumers to safely communicate and control communcations with third parties (e.g. webapp providers).
 
== Terminology ==
 
[http://browerid.org BrowserID] - Passwordless credential system based off of Verified Email.
 
Host - The site/service providing the BIPostal service.


Customer - Authorizing human being. There is a presumed level of existing trust between
In later efforts, it will be a mechanism for older sites to provide notification content to users via an email attachment.


Token - A randomized 256bit number converted to an appropriate base character representation.
==Project Contacts==
''Principal Point of Contact'' - jr conlin jrconlin@


Webapp - Third party webapp; semi-trusted party the Customer wishes to connect to through Host.
''IRC'' - #identity


= Use Cases =
''Group Email'' - TBD


== email notification ==
==Goals==
Some users may be uncomfortable providing their real, correlatable email address to a particular site. BiPostal allows users to have an email address auto-generated for them that still allows remote sites to contact them directly.


A Customer wishes to purchase a WebApp. The user does not wish to share their current master email with WebApp, so a proxy email address (Token@host.tld) is automatically created and provided to WebApp. WebApp then wishes to notify Customer, so WebApp sends the email to Token@host.tld. Host processes the notification, blocking notification if Customer has disabled that Token, or stripping non-text content and wrapping the notification for delivery to the registered Customer email.  
BIPostal provides the hooks and framework to allow that sort of function.
==Use Cases==
A Customer wishes to purchase a WebApp. The user does not wish to share their current master email with WebApp, so a proxy email address (nToken@host.tld) is automatically created and provided to WebApp. WebApp then wishes to notify Customer, so WebApp sends the email to nToken@host.tld. Host processes the notification, blocking notification if Customer has disabled that Token, or stripping non-text content and wrapping the notification for delivery to the registered Customer email.


In addition, Host may also submit the notification content to the Push Notification system for eventual display on Customers Push Notification enabled devices.
In addition, Host may also submit the notification content to the Push Notification system for eventual display on Customers Push Notification enabled devices.


= Requirements =
==Requirements==
* Host service shall accept BrowserID assertions as valid credentials for Customers
* Host service shall provide a unique token (nToken) that may be used to represent the Customer
** Token shall have a minimum of 256 bits of entropy
** Token shall only use characters 0-9, a-z (due to MTA restrictions)
* Host service shall associate an nToken with a Customer Email address
** Email address shall consist of an nToken (as a valid RFC5322 local part) in conjunction with the recipient host name.
* Host service shall allow users to manage IDs associated with their email address
** Users can "disable" (Make temporarily unavailable) or "delete" (permanently disable) an id.
** Only "active" tokens shall be allowed to forward to the user.
** The host system will attempt to re-assign a previously "disabled" ID for a user for a specific audience site (e.g. if the user had previously registered "123abc" for "example.com", a subsequent registration to "example.com" will re-activate the "123abc" nToken)
** nTokens that the user has marked as "deleted" shall be retained for the legal minimum period required by law.


* Host service shall accept BrowserID assertions as valid credentials for Customers
* Host service shall provide an optional randomized 256bit token which can be used as an email address.
** Token shall consist of valid RFC5322 token generated from randomized 256bit number.
** Allowances for "picky" MTAs may be accommodated, and the 256bit number may be converted to base36.
* Host service shall accept random, valid email token identifiers for Customer. (These tokens may be generated from the Host service or provided by the BrowerID managing agent.)


BrowserID has had a long standing request for an email redirect service. The service would accept mail addressed with an email safe, significant token as the local component, and redirect email to the principle registered email address of the user. Put far more clearly:
BrowserID has had a long standing request for an email redirect service. The service would accept mail addressed with an email safe, significant token as the local component, and redirect email to the principle registered email address of the user. Put far more clearly:
Line 41: Line 46:
* Site, wishing to send notifications to User, may now email "a0b2c3@browserid.org", which will then forward the message to "Bob@example.com"
* Site, wishing to send notifications to User, may now email "a0b2c3@browserid.org", which will then forward the message to "Bob@example.com"
* BrowserID adds a header/footer to the outbound message
* BrowserID adds a header/footer to the outbound message
* User may disable or drop "a0b2c3" from receiving mail at some time in the future if Site is overly chatty or that email address has been compromised.  
* User may disable or drop "a0b2c3" from receiving mail at some time in the future if Site is overly chatty or that email address has been compromised.
==Get Involved==
Currently the code is still under development. Please see the Code Repositories.


= Applications  =
=Design=
==Points of Contact==
Engineer - jr conlin jrconlin@


== BiPostal ==
==API Reference/Documentation==
BrowserID has had a long standing request for an email redirect service. The service would accept mail addressed with an email safe, significant token as the local component, and redirect email to the principle registered email address of the user. Put far more clearly:
There are several components to BIPostal.
<b>ppymilter2</b><br>
A tweaked version of ppymilter that uses gevent instead of asyncore<br>
https://github.com/jrconlin/ppymilter2<br>
<br>
<b>bipostal_store</b><br>
A common library for data management between various BiPostal services.<br>
https://github.com/jrconlin/bipostal_store<br>
<br>
<b>BIPostal Dash</b><br>
An API & Dashboard service which creates and manages aliases.</br>
https://wiki.mozilla.org/Services/Notifications/Bipostal/API


* A User logs into Site with BrowserID as "Bob@example.com"
<b>BIPostal</b><br>
* BrowserID then identifies User to Site as "a0b2c3@browserid.org"
a pair of PostFix plugins:<br>
* Site, wishing to send notifications to User, may now email "a0b2c3@browserid.org", which will then forward the message to "Bob@example.com"
https://github.com/mozilla-services/bipostal<br>
* BrowserID adds a header/footer to the outbound message
<blockquote>
* User may disable or drop "a0b2c3" from receiving mail at some time in the future if Site is overly chatty or that email address has been compromised.  
<b>BIPostmap</b><br>
an address mapping plugin that uses standard Postfix name mapping protocols. See http://www.postfix.org/ADDRESS_REWRITING_README.html for details.<br>
<br>
<b>BIPostal_milter</b> is a standard Postfix Milter which modifies the message (stripping extra content, adding headers and in the future, pulling JSON formed objects out for transmission to the Notifications PUSH platform). See http://www.postfix.org/MILTER_README.html for details.<br>
</blockquote>


In order to perform this, Bipostal uses two PostFix milter functions. One being a non-smtpdfilter (bipostal), the other being a TCP tables filter (bipostmap).
=== Data Schema ===
While only really appropriate for the Mysql_Memcache model, the following schema presents how data can be stored.


== Bipostmap ==
<dl>
<dt>User
<dd><b>user</b> - string(255) - user id <i>primary key</i><br>
<b>email</b> - string(255) - preferred email address (may be different than user.<br>
<b>metainfo</b> - Text - Unindexed, optional JSON data associated with the user (mostly used by the UI)
<dt>Alias
<dd><b>alias</b> - string(255) - Alias for a user<br>
<b>email</b> - string(255) - email to send to<br>
<b>user</b> - string(255) - user ID associated with this record<br>
<b>origin</b> - string(190) - optional alias origin (site registered to use this alias)<br>
<b>created</b> - Integer - UTC Timestamp of alias creation<br>
<b>status</b> - Enum('active','inactive','deleted') - Alias status<br>
<b>metainfo</b> - Text - Optional additional information associated with this alias<br>


Bipostmap is very straight forward. It uses the PostFix TCP tables protocol to do the alias lookup. It connects to a REDIS database, and looks for a matching key value for "s2u:{TOKEN}" where {TOKEN} is the local-part of the incoming email address.
== BiPostal API ==


== Bipostal ==
The BiPostal system uses REST-like API calls to perform most of the work. Some of the API entry points have legacy names and may change. Unless otherwise specified, all calls use two legged OAuth. The OAuth key/secret are returned from the Login BrowserID assertion post (See POST '/').


Bipostal uses the Milter protocol to modify the accepted email message for outbound delivery.  
Calls will return HTTP error response codes for invalid requests. Listed returns presume a 200 response code.


=== POST / ===
Log a user into the service and create a server side session association.


=== BiPostal API ===
Arguments {'assertion': 'BrowserID Assertion',
            'audience': 'origin of the request'}


The BiPostal system uses REST-like API calls to perform most of the work. Some of the API entry points have legacy names and may change
(As appropriate for auth method)
Returns: {'consumer_key': 'Session based OAuth Consumer Key',
          'shared_secret': 'Session based OAuth Shared Secret',
          'access_token': 'Session based MAC access token',
          'mac_key': 'Session based MAC secret key',
          'refresh_token': 'Post expiration refresh token',
          'mac_algorithm': '(mac-sha-1 | mac-sha-256)',
          'expires_in': Seconds until token expires,
          'server_time': Server time in UTC seconds
            }


==== GET /0.5/new_token ====
=== GET /new_alias ===
Returns a new, mail local-part safe hash based on a 256bit random number
Returns a new, mail local-part safe hash based on a 256bit random number


Line 76: Line 125:
  Returns: ''JSON complient string containing the new token''
  Returns: ''JSON complient string containing the new token''


====POST /0.5/user_queue====
=== GET /alias/ ===
Creates returns the user's queue, creating if necessary.  
Return list of known aliases for a logged in user.
 
Arguments: {}
 
Returns: {'email': 'main email for user',
          'aliases': [{'alias': 'alias string',
                        'email': 'associated email',
                        'origin': 'requesting domain audience',
                        'status': '(active | inactive)'
                      },
                      ...]
          }
 
=== POST /alias/ ===
Add an alias to a logged in user's record
 
Arguments: {'alias': 'alias to use',
            'audience': 'remote request origin'}
 
Returns: {'alias': 'alias string',
          'email': 'associated email',
          'origin': 'requesting domain audience',
          'status': '(active | inactive)'
          }
 
=== GET /alias/{alias} ===
Get detailed information for a logged in user's alias
 
Arguments: {'audience': 'Optional origin'}
 
Returns: {'alias': 'alias string',
          'email': 'associated email',
          'origin': 'requesting domain audience',
          'status': '(active | inactive)'
          }
 
=== DELETE /alias/{alias} ===
Delete an alias associated with the logged in user.
 
Arguments: {'audience': 'Optional origin'}
 
Returns: {'alias': 'alias string',
          'email': 'associated email',
          'origin': 'requesting domain audience',
          'status': 'deleted'
          }
 
=== PUT /alias/{alias} ===
Change the status of a logged in user's alias
 
Arguments: {'status': '(active | inactive)'}
 
Returns: {'alias': 'alias string',
          'email': 'associated email',
          'origin': 'requesting domain audience',
          'status': 'deleted'
          }           
 
==Platform Requirements==
This package was authored for Linux based systems. It was originally constructed for the Ubuntu distribution, and has been modified for use under Red Hat Enterprise.
 
==Libraries Required==
The following system level libraries and packages are required and should be installed at the system level. Repository names are taken from Ubuntu/Debian distributions.
===General===
* python-dev
* memcached & mysql-client (note, the package may require access to a mysql server)
* redis (An optional, alternate storage method)
* libmysqlclient-dev
* nginx


Arguments: 'Credentials'
===BIPostal (Postfix plugins)===


    Credentials are determined by the backend-auth mechanism used.
===BIPostal Dash===
    For basic Auth they consist of the username and password.
curl3
    For browserId they consist of the assertion in the 'password'
libcurl3-gnutls
    field with no 'username' required.


    Resolved User_id may be stored in beaker as 'uid' to bypass
==Code Repository==
    credential check.
''Stable'' -
 
'''BIPostal_store''' - Common data storage packages - http://github.com/jrconlin/bipostal_store
Returns: {'queue_id': ''token'',
'''BIPostal''' - Postfix Plugins - http://github.com/mozilla-services/bipostal
          'host': ''Submission host name'',
'''BIPostal_dash''' - Dashboard / API for BIPostal - http://github.com/jrconlin/bipostal_dash
          'port': ''Server access port''}


    'queue_id' is the user's queue token. This id should be valid across
''Devel'' - See "dev" branches of above.
    log-in credentials (e.g. if a user has "bob@example.com" and
==Release Schedule==
    "bjones@example.com", this ID would be consistent.
Test/Staging - Q4 2011
Public - Q1 2012


    'host' is the host URL to use for queue submission.
=QA=
==Points of Contact==
services-qa@


    'port' is the host PORT to use for queue submission.
==Test Framework==
=Security and Privacy=
==Points of Contact==
==Questionnaire Answers==
===1.1 Goal of Feature ===
This feature provides a semi-anonymous email address to users of BrowserID. Users are granted a randomly generated, 64 character, alphanumeric "string of crap"@browserid.org which acts as a site specific email address. Sites may then email the user at that alias. We reformat the email (currently wrap it with a TBD header/footer and strip non-text content) and send it to the user.


====POST /0.5/new_subscription====
User has control over the email and can 'deactivate' it, rendering the email as invalid.
Create a new subscription for the user. Note: if this is a re-subsciption, the previous subscription value is returned.
Arguments: Request containing:
    'credentials' (see user_queue)
    'token' SMTP local-part compliant token. Either created from /new_token
        or generated by another source.
    'origin' site+tld (to be used to qualify token.)


====POST /0.5/remove_subscription====
The project uses a combination of nginx and python (for the API support elements), Memcache and MySQL (for data storage), and Postfix milters for mail processing. API support and storage were determined after discussions with Operations as well as a desire to use consistent code elements. Likewise the Postfix milter allowed the minimal set of code to be created on top of a stable, well supported architecture than can be updated independently of the work done.
Deactivate a subscription


Arguments: Request containing:
(See surrounding document for detailed Use Cases, rationale, etc.)
    'credentials' (see user_queue)
    'token' Subscription token to deactivate


== BiPostalDash ==
===2. Potential Threat Vectors and Mitigation Points===
1. Address resolution:
Since this is designed around email, attackers could generate random 64character email addresses to attempt to scattergun spam.


While the mail service is accessible via web API calls, it's a good idea to provide some form of web front end to allow users to manage their account. To that end, a minimal server has been constructed to provide that functionality.
We are working with an external provider (SocketLabs) to provide an initial filter for incoming email. They would provide DKIM filtering and known site blacklisting. This should restrict the potential attack sources. In addition, the very large namespace should prevent successful hits.


The current server is built as an extension of the Mozilla Push platform. Effort will be taken to refactor that into a stand alone application.
2. Alias injection/manipulation:
Alias generation and control is handled via a simple REST API, credentialed by a BrowserID token.


=TODO=
The API uses a combination of 2legged OAuth 1.0 with the temporary token exchange occurring as part of the BrowserID authorization response. These tokens are session based and runs across https. This should minimize sniffing and simple XSS.
==Known Bugs==
* Re-examine Redis indexes for simplicity.
* Port redis-file data changes to mongo/memory models
* Add unit tests for bipostal
* Switch Beaker.session uid to be user token (from redis)


==Outstanding tasks==
==Review Status==
=== Global ===
''Bugzilla Tracking #'' -
* Add comments / code cleanup
see https://wiki.mozilla.org/Security/Reviews
* Install to public box
==Issues and Resolutions==
* load testing


=== BiPostmap ===
=Operations=
* Add database abstraction layer (allow alternate stores like notifications uses)
==Points of Contact==
==Deployment Architecture==
''Bugzilla Tracking # '' -
==Escalation Paths==
==Lifespan Support Plans==


=== BiPostal ===
=Logging and Metrics=
* Strip HTML content from the message body in favor of using just the plain text content.
==Points of Contact==
* add Templater for header/footer content
==Tracking Element Definitions==
** need to get finalized header/footer content, management links, etc.
==Data Retention Plans==
* fetch user personalization info (Name, etc.) for template?
==Dashboard URL==
* use standardized config loader
* allow multiple email addresses for account.
** allow user to switch to new address.


===BiPostalUI ===
=Customer Support=
* Extract uicontroller and make separate pylons app.
==Points of Contact==
* use standard config loader
==Sumo Tags==
* Allow for mulitple mail addresses
==Review Meeting==
** provide filtering (token => email address?)
* Add local BrowserID RSA signature checks
** pull BrowserID public key from server
** ? use rfkelly's browserid plugin
* ? Add usertoken to credential checks

Latest revision as of 19:50, 19 November 2013

Project is in Cold Storage

This project was frozen on Apr. 03 2012. No further work is being done on this project at this time.

ProjectName

Overview

BrowserID Postal (BIPostal) provides a semi-anonymous method for BrowerID consumers to safely communicate and control communcations with third parties (e.g. webapp providers).

In later efforts, it will be a mechanism for older sites to provide notification content to users via an email attachment.

Project Contacts

Principal Point of Contact - jr conlin jrconlin@

IRC - #identity

Group Email - TBD

Goals

Some users may be uncomfortable providing their real, correlatable email address to a particular site. BiPostal allows users to have an email address auto-generated for them that still allows remote sites to contact them directly.

BIPostal provides the hooks and framework to allow that sort of function.

Use Cases

A Customer wishes to purchase a WebApp. The user does not wish to share their current master email with WebApp, so a proxy email address (nToken@host.tld) is automatically created and provided to WebApp. WebApp then wishes to notify Customer, so WebApp sends the email to nToken@host.tld. Host processes the notification, blocking notification if Customer has disabled that Token, or stripping non-text content and wrapping the notification for delivery to the registered Customer email.

In addition, Host may also submit the notification content to the Push Notification system for eventual display on Customers Push Notification enabled devices.

Requirements

  • Host service shall accept BrowserID assertions as valid credentials for Customers
  • Host service shall provide a unique token (nToken) that may be used to represent the Customer
    • Token shall have a minimum of 256 bits of entropy
    • Token shall only use characters 0-9, a-z (due to MTA restrictions)
  • Host service shall associate an nToken with a Customer Email address
    • Email address shall consist of an nToken (as a valid RFC5322 local part) in conjunction with the recipient host name.
  • Host service shall allow users to manage IDs associated with their email address
    • Users can "disable" (Make temporarily unavailable) or "delete" (permanently disable) an id.
    • Only "active" tokens shall be allowed to forward to the user.
    • The host system will attempt to re-assign a previously "disabled" ID for a user for a specific audience site (e.g. if the user had previously registered "123abc" for "example.com", a subsequent registration to "example.com" will re-activate the "123abc" nToken)
    • nTokens that the user has marked as "deleted" shall be retained for the legal minimum period required by law.


BrowserID has had a long standing request for an email redirect service. The service would accept mail addressed with an email safe, significant token as the local component, and redirect email to the principle registered email address of the user. Put far more clearly:

  • A User logs into Site with BrowserID as "Bob@example.com"
  • BrowserID then identifies User to Site as "a0b2c3@browserid.org"
  • Site, wishing to send notifications to User, may now email "a0b2c3@browserid.org", which will then forward the message to "Bob@example.com"
  • BrowserID adds a header/footer to the outbound message
  • User may disable or drop "a0b2c3" from receiving mail at some time in the future if Site is overly chatty or that email address has been compromised.

Get Involved

Currently the code is still under development. Please see the Code Repositories.

Design

Points of Contact

Engineer - jr conlin jrconlin@

API Reference/Documentation

There are several components to BIPostal. ppymilter2
A tweaked version of ppymilter that uses gevent instead of asyncore
https://github.com/jrconlin/ppymilter2

bipostal_store
A common library for data management between various BiPostal services.
https://github.com/jrconlin/bipostal_store

BIPostal Dash
An API & Dashboard service which creates and manages aliases.
https://wiki.mozilla.org/Services/Notifications/Bipostal/API

BIPostal
a pair of PostFix plugins:
https://github.com/mozilla-services/bipostal

BIPostmap
an address mapping plugin that uses standard Postfix name mapping protocols. See http://www.postfix.org/ADDRESS_REWRITING_README.html for details.

BIPostal_milter is a standard Postfix Milter which modifies the message (stripping extra content, adding headers and in the future, pulling JSON formed objects out for transmission to the Notifications PUSH platform). See http://www.postfix.org/MILTER_README.html for details.

Data Schema

While only really appropriate for the Mysql_Memcache model, the following schema presents how data can be stored.

User
user - string(255) - user id primary key
email - string(255) - preferred email address (may be different than user.
metainfo - Text - Unindexed, optional JSON data associated with the user (mostly used by the UI)
Alias
alias - string(255) - Alias for a user
email - string(255) - email to send to
user - string(255) - user ID associated with this record
origin - string(190) - optional alias origin (site registered to use this alias)
created - Integer - UTC Timestamp of alias creation
status - Enum('active','inactive','deleted') - Alias status
metainfo - Text - Optional additional information associated with this alias

BiPostal API

The BiPostal system uses REST-like API calls to perform most of the work. Some of the API entry points have legacy names and may change. Unless otherwise specified, all calls use two legged OAuth. The OAuth key/secret are returned from the Login BrowserID assertion post (See POST '/').

Calls will return HTTP error response codes for invalid requests. Listed returns presume a 200 response code.

POST /

Log a user into the service and create a server side session association. 

Arguments {'assertion': 'BrowserID Assertion',
           'audience': 'origin of the request'}

(As appropriate for auth method)
Returns: {'consumer_key': 'Session based OAuth Consumer Key',
          'shared_secret': 'Session based OAuth Shared Secret',
          'access_token': 'Session based MAC access token',
          'mac_key': 'Session based MAC secret key',
          'refresh_token': 'Post expiration refresh token',
          'mac_algorithm': '(mac-sha-1 | mac-sha-256)',
          'expires_in': Seconds until token expires,
          'server_time': Server time in UTC seconds
           }

GET /new_alias

Returns a new, mail local-part safe hash based on a 256bit random number 

Arguments: {}

Returns: JSON complient string containing the new token

GET /alias/

Return list of known aliases for a logged in user. 

Arguments: {}

Returns: {'email': 'main email for user',
          'aliases': [{'alias': 'alias string',
                       'email': 'associated email',
                       'origin': 'requesting domain audience',
                       'status': '(active | inactive)'
                      },
                      ...]
         }

POST /alias/

Add an alias to a logged in user's record 

Arguments: {'alias': 'alias to use',
            'audience': 'remote request origin'} 

Returns: {'alias': 'alias string',
          'email': 'associated email',
          'origin': 'requesting domain audience',
          'status': '(active | inactive)'
         }

GET /alias/{alias}

Get detailed information for a logged in user's alias 

Arguments: {'audience': 'Optional origin'}

Returns: {'alias': 'alias string',
          'email': 'associated email',
          'origin': 'requesting domain audience',
          'status': '(active | inactive)'
         }

DELETE /alias/{alias}

Delete an alias associated with the logged in user. 

Arguments: {'audience': 'Optional origin'}

Returns: {'alias': 'alias string',
          'email': 'associated email',
          'origin': 'requesting domain audience',
          'status': 'deleted'
         }

PUT /alias/{alias}

Change the status of a logged in user's alias 

Arguments: {'status': '(active | inactive)'}

Returns: {'alias': 'alias string',
          'email': 'associated email',
          'origin': 'requesting domain audience',
          'status': 'deleted'
         }

Platform Requirements

This package was authored for Linux based systems. It was originally constructed for the Ubuntu distribution, and has been modified for use under Red Hat Enterprise.

Libraries Required

The following system level libraries and packages are required and should be installed at the system level. Repository names are taken from Ubuntu/Debian distributions.

General

  • python-dev
  • memcached & mysql-client (note, the package may require access to a mysql server)
  • redis (An optional, alternate storage method)
  • libmysqlclient-dev
  • nginx

BIPostal (Postfix plugins)

BIPostal Dash

curl3 libcurl3-gnutls

Code Repository

Stable - BIPostal_store - Common data storage packages - http://github.com/jrconlin/bipostal_store BIPostal - Postfix Plugins - http://github.com/mozilla-services/bipostal BIPostal_dash - Dashboard / API for BIPostal - http://github.com/jrconlin/bipostal_dash

Devel - See "dev" branches of above.

Release Schedule

Test/Staging - Q4 2011 Public - Q1 2012

QA

Points of Contact

services-qa@

Test Framework

Security and Privacy

Points of Contact

Questionnaire Answers

1.1 Goal of Feature

This feature provides a semi-anonymous email address to users of BrowserID. Users are granted a randomly generated, 64 character, alphanumeric "string of crap"@browserid.org which acts as a site specific email address. Sites may then email the user at that alias. We reformat the email (currently wrap it with a TBD header/footer and strip non-text content) and send it to the user.

User has control over the email and can 'deactivate' it, rendering the email as invalid.

The project uses a combination of nginx and python (for the API support elements), Memcache and MySQL (for data storage), and Postfix milters for mail processing. API support and storage were determined after discussions with Operations as well as a desire to use consistent code elements. Likewise the Postfix milter allowed the minimal set of code to be created on top of a stable, well supported architecture than can be updated independently of the work done.

(See surrounding document for detailed Use Cases, rationale, etc.)

2. Potential Threat Vectors and Mitigation Points

1. Address resolution: Since this is designed around email, attackers could generate random 64character email addresses to attempt to scattergun spam.

We are working with an external provider (SocketLabs) to provide an initial filter for incoming email. They would provide DKIM filtering and known site blacklisting. This should restrict the potential attack sources. In addition, the very large namespace should prevent successful hits.

2. Alias injection/manipulation: Alias generation and control is handled via a simple REST API, credentialed by a BrowserID token.

The API uses a combination of 2legged OAuth 1.0 with the temporary token exchange occurring as part of the BrowserID authorization response. These tokens are session based and runs across https. This should minimize sniffing and simple XSS.

Review Status

Bugzilla Tracking # - see https://wiki.mozilla.org/Security/Reviews

Issues and Resolutions

Operations

Points of Contact

Deployment Architecture

Bugzilla Tracking # -

Escalation Paths

Lifespan Support Plans

Logging and Metrics

Points of Contact

Tracking Element Definitions

Data Retention Plans

Dashboard URL

Customer Support

Points of Contact

Sumo Tags

Review Meeting

Retrieved from "https://wiki.mozilla.org/index.php?title=CloudServices/Notifications/Bipostal&oldid=765659"