@bcampbell - Can you provide us with an estimated deployment date for this? Something more specific than "as soon as possible" is desirable, for scheduling purposes. And is there any kind of working test or development environment that the Security-Team can have access to? That would likely be a requirement for this review.

This review will likely be a hybrid review where the Security-Team performs some additional vendor review (or just re-confirms a few items) in addition to a security readiness review mainly focused upon the pantalaimon daemon.

@bcampbell: Hi, for future reference please use the form at https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews - thanks! :)

@Aklapper Got it, noted!

@sbassett Estimated deployment date is end of fiscal year. Is that a realistic goal for your team? Per my request, New Vector enabled the encryption tool on one Slack channel bridged to Element, #matrix-encryption-test, but I don't have any visibility into the backend. Would server logs suffice or do you need some sort of real-time access to the bridge to see what's going on?

In T277336#6927071, @bcampbell wrote:

@sbassett Estimated deployment date is end of fiscal year. Is that a realistic goal for your team? Per my request, New Vector enabled the encryption tool on one Slack channel bridged to Element, #matrix-encryption-test, but I don't have any visibility into the backend. Would server logs suffice or do you need some sort of real-time access to the bridge to see what's going on?

It probably is, though I don't believe we will perform any extensive application security review for the codebases you've provided, as we're not really resourced to do so and simply cannot do this for every vendor engaged by the Foundation. So this request will likely entail another round of vendor review with some variety of risk rating.

Understood, thanks. I'll see what New Vector can provide us with and follow up here.

@sbassett The vendor let me know that they will not be able to provide us with server logs, but they are willing to work with us to get access to the backend of a testing environment. They told me that because the testing environment they set up is running on their private infrastructure, they would prefer to move it to a separate instance for us to be able to freely access. They prefer that we use our own hardware, but offered to set something up for us on their side that we would be able to access.

I can take them up on their offer to set up a test environment for us that we can access on their end if that would be useful for you. Would that be part of the vendor review that you mentioned? Thanks.

In T277336#6968559, @bcampbell wrote:

I can take them up on their offer to set up a test environment for us that we can access on their end if that would be useful for you. Would that be part of the vendor review that you mentioned? Thanks.

@bcampbell - I'm not certain how necessary this would be at this point in time, and would defer to @Dsharpe. Our team really is not resourced to perform exhaustive audits of vendor-supplied code, especially for business productivity systems like this.

@sbassett - Will do, understood.

@Dsharpe - Do you need any additional resources to review the bridge encryption solution other than the details I provided in the task description? I can set up a meeting with the Privacy team and whoever you want on your team to pick this discussion back up if you think that would be a more efficient way to figure out what needs to be done here.

Hi @bcampbell ! Is the last diagram from the vendor from our 24 July 2020 meeting still accurate given what the vendor has created now, especially for the part about burning keys after use? I'll send over the link if that helps. Are the listed pros and cons from that document still exactly the same with their current offering and our planned implementation?

Hey @Dsharpe! Can you please share the diagram you are referencing with me? Are you referring to the confidential Element recommendation memo we put together with the Privacy team?

I believe the pantalaimon tool I referenced in the Task description is what they have implemented to mitigate our encryption-at-rest concerns. Our planned implementation remains the same (to bridge all Slack comms to Matrix, and selected non-sensitive channels to IRC), but we'll need to readjust the timeline.

Hey @Dsharpe. The vendor just completed the burning keys after use feature and deployed it to our server. They told me that the document shared with us in July is essentially still accurate, so I followed up and requested that they revise the document so that it describes the exact solution implemented for us. I'll follow up with you here when I hear back.

Thanks @bcampbell !

@Dsharpe I heard back from the vendor and they let me know that the developer confirmed that the encryption implementation is the same as the method described in the document. I'll now schedule a follow-up meeting with ITS, Security, and Privacy to discuss.