Skip to content

Update with the admin feature #78

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
hug-dev opened this issue Jan 8, 2021 · 0 comments · Fixed by #80
Closed

Update with the admin feature #78

hug-dev opened this issue Jan 8, 2021 · 0 comments · Fixed by #80
Assignees
@hug-dev
Labels
multitenancy security Issues related to the security and privacy of the service

Comments

@hug-dev
Copy link
Member

hug-dev commented Jan 8, 2021

After parallaxsecond/parsec#308 is implemented, the following things need to be updated:

Threat model updates

  • A9 for Spoofing and Tampering need to be updated with the new idea that someone malicious could set itself as the admin. More assets are then impacted because all clients keys can be destroyed. O-6 cover the right mitigation.
  • A1 Spoofing threats are aggravated if the authentication stolen is the admin one: in that case not only admin keys are at risks but everyone's (only allows deletion of keys, not exposure/usage). I propose that we add a notice in the AS1 section noting down that the admin's authentication token is particularly sensitive as it impacts all.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hug-dev hug-dev

Labels
multitenancy security Issues related to the security and privacy of the service
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add ListClients and DeleteClient operations hug-dev/parsec-book
1 participant
@hug-dev