207
edits
Apps/WebApplicationReceipt/GenerationService: Difference between revisions
Jump to navigation
Jump to search
Apps/WebApplicationReceipt/GenerationService (view source)
Revision as of 08:53, 26 March 2012
, 26 March 2012no edit summary
No edit summary |
No edit summary |
||
| Line 28: | Line 28: | ||
(NB to Marketplace team: If there is going to be a developer-facing API to query the state of individual receipts by user ID, it will need to have a developer-facing authentication piece. This system does not require authentication; possession of the receipt is considered sufficient to find out the user's status). | (NB to Marketplace team: If there is going to be a developer-facing API to query the state of individual receipts by user ID, it will need to have a developer-facing authentication piece. This system does not require authentication; possession of the receipt is considered sufficient to find out the user's status). | ||
Software Components | == Software Components == | ||
The root signing nodes are responsible for generating a daily list of keys, certifying them with a hardware-protected private key. They push these certified keys to the signing nodes through a secure, intranet-only link. There is no internet access to the root signing nodes. The public half of these keys is exported and delivered very carefully to the advertising point. | The root signing nodes are responsible for generating a daily list of keys, certifying them with a hardware-protected private key. They push these certified keys to the signing nodes through a secure, intranet-only link. There is no internet access to the root signing nodes. The public half of these keys is exported and delivered very carefully to the advertising point. | ||
| Line 35: | Line 35: | ||
The Marketplace Verification service needs to receive the public keys, and to perform verification of the receipt and the certificate chain. | The Marketplace Verification service needs to receive the public keys, and to perform verification of the receipt and the certificate chain. | ||
Threat Model | == Threat Model == | ||
An attacker could capture a signing key and export it from the signing node. They could make as many nodes as they like. | An attacker could capture a signing key and export it from the signing node. They could make as many nodes as they like. | ||
| Line 54: | Line 54: | ||
An attacker could compromise the channel through which the public keys are relayed from the root trust nodes to the distribution point, and place their own public key in the list. | An attacker could compromise the channel through which the public keys are relayed from the root trust nodes to the distribution point, and place their own public key in the list. | ||
Operational Procedures | == Operational Procedures == | ||
* The public keys need to be advertised very securely; any tampering with this trust root enables receipt-impersonation attacks. | * The public keys need to be advertised very securely; any tampering with this trust root enables receipt-impersonation attacks. | ||