> Who is/are the point of contact(s) for this review? Jared Wein, Stephen Horlander > Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.): We will remove the favicon from the Firefox address bar and replace it with a generic icon in http and mixed content scenarios. Use a grey lock in https, and a green lock in https+ev. The verified domain will be hidden in https. The verified identity will be visible in https+ev. > Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description: See bug 742419 and the attached mockup in the bug. > Does this request block another bug? If so, please indicate the bug number Just bug 742419. > This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? This request does not need to be expedited. > Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.) > Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users? Firefox. > Are there any portions of the project that interact with 3rd party services? No. > Will your application/service collect user data? If so, please describe No. > If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size): > Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite. Wednesday, April 18th at 1pm would be nice.

https://bugzilla.mozilla.org/show_bug.cgi?id=742419#c11 states that a formal review may be unnecessary, so this bug exists so we can track the necessity of a formal review. Please close this bug if a formal review is not needed.

we will need UX representation for this, as we are not so concerned with implementation but more with design. :dveditz will act as lead for this

I invited Limi for this to represent UX let me know if we need to get others. Calendar entry: https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html?view=month&action=view&invId=110473-110472&pstat=AC&exInvId=110473-164957&useInstance=1&instStartTime=1334779200000&instDuration=3600000 :dveditz Update the required reading list for this review please https://etherpad.mozilla.org/requiredreading

============================ https://bugzilla.mozilla.org/show_bug.cgi?id=744304= Item to be reiviewed: New Identity Box Design Link to calendar entry: https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html?view=month&action=view&invId=110473-110472&pstat=AC&exInvId=110473-164957&useInstance=1&instStartTime=1334779200000&instDuration=3600000 SecReview Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=744304 Security Lead: Dan Veditz Required Reading List: * https://bugzilla.mozilla.org/show_bug.cgi?id=742419 * https://bug742419.bugzilla.mozilla.org/attachment.cgi?id=612253 (If possible prefill this area for copying to the notes section of the review) Introduce Feature (5-10 minutes) [can be answered ahead of time to save meeting time] - Goal of Feature, what is trying to be achieved (problem solved, use cases, etc) - What solutions/approaches were considered other than the proposed solution? - Why was this solution chosen? - Any security threats already considered in the design and why? * Threat Brainstorming (30-40 minutes) * Conclusions / Action Items (10-20 minutes) =============================

SecReview Notes: https://wiki.mozilla.org/Security/Reviews/IdentityBox

I've moved the list of dependent bugs to bug 742419 since that bug covers the implementation of the feature. I think we can mark this bug as resolved now.

this bug should not be closed or resolved until the the follow on bugs are also resolved. And those bugs block this bug from being closed out. We don't consider a review complete until all the action item bugs from said review are complete. I don't mind you changing the product and component of the bugs but they should continue to block resolution of this bug.

Do [secreview complete] and the sec-review-complete keyword mean different things?

At the moment yes, the whiteboard tag is to let me know that the meeting is done (I should come up with something better) and the keyword is the whole thing is done (action items etc).

All dependencies on this security review have now been resolved. I'm marking this as resolved based on comment #7.