I've created a PageSigner oracle; but how do I get PageSigner to use it?

[garyrob]

I've created a PageSigner oracle according to the INSTALL instructions. Everything seems to have gone OK. But are there instructions for getting the PageSigner Chrome extension to use it rather than the server instance you are running? I haven't been able to find any. Should I just look at the PageSigner source, figure out how to modify it, and make my own version of the PageSigner extension?

Also, what port(s) should be open, etc....

Or, if you'd rather that people only use your server for actually using PageSigner, please let me know.

[themighty1]

Hey @garyrob, the steps are as follows:

1. Start an oracle AWS server (as per
   https://github.com/tlsnotary/pagesigner-oracles/blob/master/INSTALL) and open
   all its incoming ports.

2. Use (https://github.com/tlsnotary/pagesigner-oracles/blob/master/aws_query.py)
   to create an input for URLFetcher.

3. Start URLFetcher Nitro enclave as per
   (https://github.com/tlsnotary/URLFetcher) and feed the input from Step2 to it.
   The output will be the URLFetcher document. (takes ~20 mins)

4. Feed the URLFetcher document (from Step 3) to the oracle machine (from Step 1) by
   doing curl --data-binary '@URLFetcherDoc' 127.0.0.1:10012/setURLFetcherDoc
   Replace 127.0.0.1 with the actual IP address of the oracle machine.
   If you make a mistake in this Step, you'll have to restart all the steps above. There is only one attempt to feed the URLFetcherDoc to it.

5. Modify PageSigner's (https://github.com/tlsnotary/PageSigner/blob/master/core/globals.js)
   to have defaultNotaryIP: 'oracle IP here'

6. By default PageSigner works only with oracle machines set up by the TLSNotary devs, so you'll have to comment out this line https://github.com/tlsnotary/PageSigner/blob/c94618d146c9243d15b1a087f74bc3ed0397fdde/core/oracles.js#L281 which says:
   assert(AWSAccessKeyId === 'AKIAI2NJVYXCCAQDCC5Q');

I hope I didnt miss any steps. Please let me know if there are problems along the way. Thanks.

[garyrob]

Thanks for those instructions!

aws_query.py asks for "AWS-ID" "AWS-secret"... So, I think that means my IAM Access Key Id and Secret Access Key? Sorry for the newbie questions and thank you again for your patience...

I'm asking because, while I can find an AWS ID for my top-level (non-IAM) account, a) I don't see a secret key for that, and b) I think we're supposed to use IAM in general.

[themighty1]

These are access key ID and secret access key for the root user of the AWS account.
Log in as root, click top right corner -> security credentials -> access key dropdown -> create new aceess key
Yes, in general we would use the IAM account for day-to-day AWS operations. But for our purposes we want to prove that the AWS machine was set up correctly, so we need to prove it from a root account which has all the priviledges and all API access.

[garyrob]

Is it OK that I created the AMI from an IAM account or should I have used the root user?

[themighty1]

I think it will work for iam user if you comment out this line which checks for root user:

https://github.com/tlsnotary/PageSigner/blob/c94618d146c9243d15b1a087f74bc3ed0397fdde/core/oracles.js#L189

[garyrob]

Hmm... sounds like the most secure solution might be to just have a separate, dedicated AWS account just for the oracle, using the root. Does that make sense?

[themighty1]

I'm not sure why you suggest it to be a separate AWS account. Any AWS account with the root user will work. It can be an already existing AWS account.

[garyrob]

I tend to be a cautious guy, at least one the cost is low for being cautious! Amazon says: "We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, use your root user credentials only to create your IAM admin user."

So if the natural flow with TLSNotary is to use the root, and especially if the subject matter being notarized could mean that somebody might want to make an attempt to manipulate it, it seems to make sense to protect other AWS stuff by having a different account for unrelated operations. I mean, the cost is low for doing so, so that's just my instinct.

[themighty1]

Yes, the ultimate solution is just to have a separate AWS account and launch the oracle as the root user.

I'm gonna explain the potential pitfall of running the oracle server from iam instead of the root account:

doing so, may open up an attack vector, i.e. that the oracle server was launched maliciously which will give the AWS account owner the ability pump out fake notarization proofs. That's the only attack possible.
We are not trying to defend against e.g. the client stealing the AWS root account credentials because that is not possible in our setup.
If the oracle server is launched from an iam account, it is potentially possible that the HTTP API calls (which are used to prove the oracle setup correctness) will report only partial information about the running instance.
That's why we run it from the root account and create the HTTP API calls on behalf of the user root, so that we can be sure that APIs report full information.