Re: [Essentials] RFC: first cut at registration and authentication for Jenkins Essentials

Fri, 30 Mar 2018 06:57:02 -0700 

My colleague in CloudBees Operations, Ben Walding, shared some feedback with me
off list, which he's allowed me to share more broadly. A summary of his
questions are below with some of my responses inline

* UUID: If the UUID is the fingerprint of the Jenkins instance, are there any
  PII issues?


In this design the UUID is literally a UUID generated on the server
side by the Node `uuid` module, so it's only correlated to the
instance after the registration has completed. That said, yes there is
a GDPR identification concern if/when that Instance UUID is associated in a
backend database with an individual's identity (e.g. GitHub Username). At this
point this is a concern which I am aware of, but we're not far enough along in
Jenkins Essentials to where this affects our designs.


* Service Authentication: I'm assuming you're thinking of TLS/HTTPS for
  transport protection between the client and the server?


TLS is definitely a requirement full stop. I have updated the document with
this under the Security section.


* JWT Bearer Tokens vs. Request Signing:  IIUC, the JWT is used as part of an
  HMAC signing of the request?  The way you've talked about it, it seems more
  like a Bearer token (which have risks around replay).


JWT is being used much more as a bearer token rather than HMAC
signing of the request. ("JWT Simple" :))

At this point I do not see additional value in request signing, for the
additional key management overhead to pass a client's public key around between
backend services in order to verify request signatures. I've added some
additional notes to the "Alternative Approaches" section of the document to
capture this concern however.




I've had some constructive discussions around this design, and have made
substantial progress on the implementation work, so I have proposed my JEP
document for numbering and Draft status in this pull request:
    https://github.com/jenkinsci/jep/pull/74




Thanks for providing feedback everybody!


Cheers
- R. Tyler Croy

------------------------------------------------------
     Code: <https://github.com/rtyler>
  Chatter: <https://twitter.com/agentdero>
     xmpp: rty...@jabber.org

  % gpg --keyserver keys.gnupg.net --recv-key 1426C7DC3F51E16F
------------------------------------------------------

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/20180330135604.fn6c7qr4n733djc6%40blackberry.coupleofllamas.com.
For more options, visit https://groups.google.com/d/optout.

Attachment: signature.asc
Description: PGP signature

Reply via email to