Google Git
Sign in
vanadium / release.go.x.ref / cfccc8f6b6ff310673e31770863954faa699b550
commitcfccc8f6b6ff310673e31770863954faa699b550[log] [tgz]
authorAnkur <ataly@google.com>Tue May 19 17:38:37 2015 -0700
committerAnkur <ataly@google.com>Tue May 19 17:38:39 2015 -0700
tree59454d10f2997fcb333ccbc4961e2a4d6177f07a
parentfc8992b0c4a368122bc111c24c7f15d536d7093f [diff]
"x/ref": Bind identityd macaroon to tool's public key

Presently, the macaroon handed out by identityd as part of the
seekblessings flow is a bearer token, i.e., anyone who posseses
the macaroon can use it to obtain a blessing for the name (email)
encapsulated in the macaroon. This makes the macaroon an attractive
target for theft.

Since macaroons are only meant to be used by the principal tool they
need not be bearer tokens. This CL makes identityd bind the macaroon
to the principal tool's public key (provided by the tool as part of the
"seekblessings" request, see CL: 11169), thereby making it a non-bearer-token
and therefore robust against theft. The public key is subsequently
checked when an RPC is made using the macaroon to obtain a blessing.

Change-Id: I03186c88e4cb9bf128eb0b1ce465fff6eb4821fe
3 files changed
tree: 59454d10f2997fcb333ccbc4961e2a4d6177f07a
  1. cmd/
  2. examples/
  3. internal/
  4. lib/
  5. runtime/
  6. services/
  7. test/
  8. .gitignore
  9. AUTHORS
  10. CONTRIBUTORS
  11. envvar.go
  12. envvar_test.go
  13. LICENSE
  14. PATENTS
  15. README.md
  16. VERSION
README.md

Vanadium

This repository contains a reference implementation of the Vanadium APIs.

Unlike the APIs in https://github.com/vanadium/go.v23, which promises to provide backward compatibility this repository makes no such promises.