Apps/WebApplicationReceipt/GenerationService: Difference between revisions

Apps/WebApplicationReceipt/GenerationService (view source)

Revision as of 12:58, 6 April 2012

1,096 bytes added , 6 April 2012

→‎Comments / Concerns / Clarification Needed

Curtisk

canmove, Confirmed users, Bureaucrats and Sysops emeriti

2,776

edits

@@ Line 136: / Line 136: @@
 * [clouserw - 2012-03-29] In Appendix B you ask if the public keys and the revoked keys should be in the same file, but in "Software Components" you say that the public keys are on an intranet-only URL.  In "System Overview" you mention that the developer's servers can retrieve the list of revoked keys but they won't have access to an intranet-only URL.
 ** [mhanson 2012-03-29] the private keys are intranet only - the public keys are "delivered carefully to the advertising point" - e.g. the public website
+===Security Review Notes===
+Review Notes:
+;Items to be reviewed:
+* {{bug|734445}}
+* https://wiki.mozilla.org/Apps/WebApplicationReceipt
+* How we are going to authenticate the signers.
+* authenticate server (marketplace) requesting signing.
+* Operations Security Tasks
+# write ocs/acs (hsm smartcards) operational procedures and policy
+# program ocs/asc (hsm smartcards)
+# publish system and network security requirements for these servers and hosts
+# verify that CEF logging in place for each receipt signing operation. <joes><ray>
+risk
+-----
+* server ip compromise could allow push of signing cert from root cert to malicious server.
+* multiple refunds against non-valid transactions or just too many refunds.
+=== Conclusions / Action Items ===
+* Who :: What :: By when
+* Bill to verify with Justin about plan for receipt revocation
+* Need to design and implement a receipt reissue system
+* Review to verify daily keys are correctly destroyed each day
+* Need to alter receipt verification to cope with the proposed signing chain
+* need to define process for recovation/re-issue of root key
 == Action Items ==