Google Git
Sign in
vanadium / release.go.x.ref / af98e57037734335bf58ddef05fb79e9b6ecdce5
commitaf98e57037734335bf58ddef05fb79e9b6ecdce5[log] [tgz]
authorAnkur <ataly@google.com>Tue May 05 14:18:50 2015 -0700
committerAnkur <ataly@google.com>Tue May 05 14:30:19 2015 -0700
tree49f8e18cb4626b437d976aab0daded67245fb69f
parent5753f3967dd0cc20fac55048883d819e348d2b66 [diff]
"x/ref": SeekBlessings also sends public key of the principal tool

Currently the 'seekblessings' flow involves obtaining a macaroon
from the HTTPS identity service and sending that macaroon over a
Vanadium RPC in order to obtain a blessing. The returned blessing
is based on the email address encapsulated in the macaroon.

At the momement, the macaroon is a bearer credential and can be used
(to obtain a blessing) by anyone who holds it. This makes it an
attractive target for theft.

We plan to bind the macaroon to the public key of the principal
tool so that only the principal tool can use the macaroon to
obtain a blessing.

This would be accomplished in two steps:
1) The principal tool will be updated to also send its public
key in the HTTPS request to 'auth/google' endpoint of the Identity
Service.
2) The Identity service will be updated to include the public key
received from the tool in the issued macaroon, and only grant blessings
to clients whose public key matches the public key in the macaroon
presented by them

This CL carries out Step 1.

Change-Id: Ieb943abc5574a8a6f079b4c6676f42acf3f7f330
2 files changed
tree: 49f8e18cb4626b437d976aab0daded67245fb69f
  1. cmd/
  2. envvar/
  3. examples/
  4. internal/
  5. lib/
  6. profiles/
  7. services/
  8. test/
  9. .gitignore
  10. AUTHORS
  11. CONTRIBUTORS
  12. LICENSE
  13. PATENTS
  14. README.md
  15. VERSION
README.md

Vanadium

This repository contains a reference implementation of the Vanadium APIs.

Unlike the APIs in https://github.com/vanadium/go.v23, which promises to provide backward compatibility this repository makes no such promises.