Thank you all for participating in the B2G security discussion so far. While the "uber-thread" has resulted in some very useful and creative discussion, it is clearly difficult to analyze such a complex model thoroughly without putting some more structure in place. As such, we should break up this conversation to focus on each layer of the security model at at time, coming to a specific proposal before moving onto the next layer to ensure we establish a solid foundation for discussion.
As such after talking to Jonas and Andreas, I propose we talk through the following layers of the security model in order: 1) Get agreement on different "types" of applications (roughly corresponding to groupings of privileges organized by risk) 2) Talk through risks of each WebAPI and determine which of the above type(s) it belongs to (and whether access to it would be implicit or explicit) 3) Determine security implications and mitigations for each application type (CSP, HSTS++, CA pinning, signing, whatever) 4) Discuss the app lifecycle: a) publish b) install c) update d) revoke 5) OS security risks and mitigations 6) Review security model and compare against threat model The goal is to do a full pass through this conversation in 2 weeks. Obviously if new data emerges we might revisit previous decisions, but it'll be more productive if we can stake down some positions throughout the process and build upon them. I'm sending out the first phase (application types) after this email. Lucas. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
