On 1/02/2015 10:03, Adam Roach wrote:
On 1/31/15 15:50, Ryan Kelly wrote:
On 1/02/2015 04:48, Christopher Karlof wrote:
+dev-fxacct, zaach, stomlinson, rfk
Thanks!
Chris or Adam, it would be great if you could add a bit of background
on the feature under discussion here, just so we've got full context
for the list.
From the email thread I get "something loop and encryption and oauth"
but it's not clear what that "something" might be :-)
We need to be able to encrypt "context information", as described here:
https://wiki.mozilla.org/Loop/Architecture/Context
Thanks. It's cool to see additional applications springing up for these
account-linked encryption keys!
I agree with Chris's assessment that this will be much simpler to do
inside desktop firefox than on the open web.
We need to be careful when defining the data model, so that we can
eventually add equivalent functionality to the public oauth flow. This
means locking down what keys the relier can access, what they are
called, and how are they derived from the master key material on the
account.
A brief sanity-check: are you working from the terminology proposed in
the following thread?
https://mail.mozilla.org/pipermail/dev-fxacct/2014-December/001260.html
Also, a small suggestion for the proposed encryption flow on
https://wiki.mozilla.org/Loop/Architecture/Context, where you say:
"""
The room context information is serialized as a JSON object, and
encrypted using kR
"""
The key kR is likely the only key material your relier will be able to
get. I recommend treating it like a master key and deriving
purpose-specific keys from it via HKDF, rather than using it directly.
Cheers,
Ryan
_______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct
