Security/Reviews/BrowserIDCAPI

Introduce Feature

code is a SASL extension for OpenLDAP to allow an LDAP server to function as an intermediary between an LDAP consuming relying party and an Identity Authority (in this case, BrowserID.org)

django to open-ldap is across the network
is the SASL client plugin exposed externally at all ? ie is it only django itself that can call into it, there's no exposure via direct URL's ?
- you could potentially pass bad email address to django which forwards to the plugin
- urls like /login and /register potentially - entry points are limited to the web forms that talk to the plugin, there shouldn't be any direct access
using SSL in the plugins
- https://github.com/ozten/sasl-browserid/blob/master/plugins/verifier.c#L101
  - I think option should be changed to CURLUSESSL_ALL instead of CURLUSESSL_TRY
  - http://curl.haxx.se/libcurl/c/curl_easy_setopt.html (SSL and and SECURITY OPTIONS)
- verifying that the plugin is really talking to the real browserid.org
- verify that SSL cert verification is enabled for the plugins
signing of the cookie is done by django (django provided Signed Cookies)
- username/password is stored in the cookie
- this will be replaced with a browser ID assertion

[dchan] Code Review
- may be constrained by goals implementation
[possible?] fuzzing
need secure SASL dev expertise
- Cyrus Daboo, Howard Chu - SASL experts - may lead to consultants?
[ozten] Vagrant VM