From: "michal.lowas-rzechonek@silvair.com" <michal.lowas-rzechonek@silvair.com>
To: "Gix, Brian" <brian.gix@intel.com>
Cc: "johan.hedberg@gmail.com" <johan.hedberg@gmail.com>,
"marcel@holtmann.org" <marcel@holtmann.org>,
"linux-bluetooth@vger.kernel.org"
<linux-bluetooth@vger.kernel.org>,
"Stotland, Inga" <inga.stotland@intel.com>
Subject: Re: [PATCH BlueZ 0/1] mesh: Add D-Bus Security for sensitive data
Date: Wed, 14 Aug 2019 23:20:41 +0200 [thread overview]
Message-ID: <20190814212041.ty27uuyolyujaoqe@kynes> (raw)
In-Reply-To: <FF0F331A-753C-4A3E-9EFD-E54BD0657DA8@intel.com>
Brian,
On 08/14, Gix, Brian wrote:
> I don't think so.... If a token is leaked, and we offer *any* kind of
> mechanism to export keys, then any permissions that the App with
> legitimate access to the token has, is then conferred on *any* entity
> that obtains access to the token.
>
> The only way around this is to not allow any access, by any apps, to
> any exportable keys.... or to secure access to the token.
No, not the only way.
We could require additional authentication before attached applicatino
can access export functionality - for example, check that user running
the application belongs to a certain group.
regards
--
Michał Lowas-Rzechonek <michal.lowas-rzechonek@silvair.com>
Silvair http://silvair.com
Jasnogórska 44, 31-358 Krakow, POLAND
prev parent reply other threads:[~2019-08-14 21:20 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-14 1:43 [PATCH BlueZ 0/1] mesh: Add D-Bus Security for sensitive data Brian Gix
2019-08-14 1:43 ` [PATCH BlueZ 1/1] doc: Add Pub/Private ECC shared secret to obscure " Brian Gix
2019-08-14 8:14 ` Vallaster Stefan
2019-08-14 7:52 ` [PATCH BlueZ 0/1] mesh: Add D-Bus Security for " Michał Lowas-Rzechonek
2019-08-14 16:41 ` Gix, Brian
2019-08-14 20:52 ` michal.lowas-rzechonek
2019-08-14 21:02 ` Gix, Brian
2019-08-14 21:20 ` michal.lowas-rzechonek [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190814212041.ty27uuyolyujaoqe@kynes \
--to=michal.lowas-rzechonek@silvair.com \
--cc=brian.gix@intel.com \
--cc=inga.stotland@intel.com \
--cc=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=marcel@holtmann.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox