Talk:SecurityEngineering/2014/Q3Goals

From MozillaWiki
Jump to: navigation, search

This is the raw content fro the etherpad brainstorming.

Working draft (includes crossed-off ideas):


Core/DOM

  • revamp gecko security hooks continued - next steps? What are they?
    • Finish code and debugging for New Channel API, start getting reviews and fixing the issues brought up
      • Get New Channel API landed (we should be able to do that, perhaps without moving content policy check)
      • Figure out the addon compatibility story
    • Bonus - start architecting and implementing new observer service
  • csp
    • get rid of old implementation entirely
    • CSP 1.1 compliance (finish things needed to line up with draft)
  • Subresource Integrity (SRI)? implement or plan out implementation? evaluate?
    • once upon a time, this was implemented - Link fingerprints: bug 377245 (and dependencies)
  • Referrer control
    • <meta> referrer control
    • CSP referrer directive
    • <a rel=noreferrer
    • Make progress on referrer= attribute for other DOM elements

Communications Security

  • [CARRY OVER] SSL Error Reporting finish first implementation of ssl error reporting feature. (dri=grobinson)
  • [NEW] HPKP - implement pinning http header (dri=cviecco)
  • [NEW] Update roadmap for Cert Revocation improvements (dri=rbarnes)
  • [NEW] Create a mechanism to provision phones with an alternate cert (dri=mgoodwin)
  • [NEW] Add measurement/enforcement of compliance with CABF Baseline Requirements (dri=keeler)
  • [NEW] Create a tool for testing CA certificate compliance and EV-readiness (dri=keeler)
  • [NEW] Add support for key wrap/unwrap and ECC in WebCrypto (dri=rbarnes)
  • [NEW] [stretch goal] Enable revocation of intermediate CAs through block list service (dri=harsh, keeler)
  • [NEW] [stretch goal] Require 2048-bit keys for built-in root certificates (dri=kathleen)
  • [NEW] [stretch goal] Get CA Program data into one database (dri=kathleen)

Tracking Control

Evangelism

  • security outreach - Security Open Mic presentation + blog post about new CSP, maybe again as brown bag.
  • talk at (web dev) conference? Be more visible?
  • Knock down TOR browser bundle bugs
    • Tor dev conf at Mozilla Paris