348
edits
Apps/WebApplicationReceipt/GenerationService: Difference between revisions
Apps/WebApplicationReceipt/GenerationService (view source)
Revision as of 22:14, 28 March 2012
, 28 March 2012→Operational Procedures
(added reissuance section) |
|||
| Line 54: | Line 54: | ||
* The public keys need to be advertised very securely; any tampering with this trust root enables receipt-impersonation attacks. | * The public keys need to be advertised very securely; any tampering with this trust root enables receipt-impersonation attacks. | ||
* Revoked keys need to be advertised just as securely; the ability to disrupt revocation distribution could allow an attacker to use a stolen key. | |||
* A receipt-generation site would need to detect if a root node has stopped generating private keys, and failover to the backup node. | * A receipt-generation site would need to detect if a root node has stopped generating private keys, and failover to the backup node. | ||
* Marketplace would need to detect if a receipt signing site has stopped responding to requests from Marketplace, and fail over to a backup site. | * Marketplace would need to detect if a receipt signing site has stopped responding to requests from Marketplace, and fail over to a backup site. | ||
* Marketplace would need to keep a log of receipt-generation requests; this should be compared to the receipt-generation jobs executed by the signing nodes to detect unexpected requests. (OR: all Marketplace nodes would need to authenticate to the signing cluster) | |||
== Appendices == | == Appendices == | ||