On Mon, Jul 29, 2013 at 5:26 PM, Jim Klo <[email protected]> wrote: > Right. The key difference from other 3-party solutions is that, once the > BrowserID protocol is up and running with a really stable release, Identity > verification should be untraceable by the IdP. BrowserID uses a model where > the client generates public key material and asks their IdP to validate and > countersign an assertion and hand back to them a signed response. The client > then hands that signed response over the the RP from which the only thing the > RP should have to do is validate the countersigning done by the IdP using the > IdP's well known public certificate.
Identity verification should be untraceable by the IdP in the current setup as well. > The challenge really is while they have their spec stored in GitHub… the > protocol itself isn't well versioned IMO in that it doesn't advertise the > running version and there's no way to interoperate with a specific version of > the protocol AFAIK. Thus keeping RP implementations in sync with production > is a royal PITA - resulting in versions of the current CouchDB plugin > breaking all of a sudden because Mozilla changed something and theres no way > to request the old version of the protocol hence validation done on the RP > side breaks.. Protocol versioning is one of the remaining goals, it will be done. But you're still pretty vague here about versioning and how things break. AFAICT, the actual recommended RP API has changed a few times, but the old versions are still supported, so nothing is broken on that side. What might have been broken is the shim implementation of the DOM/UA handling of RP/IdP intermediary, but that Mozilla has AFAIK always said that that part has not been stabilized, and this is the reason you shouldn't fork your own include.js. > I was just +1 that if someone wanted to build IdP support for > Persona/BrowserID into CouchDB - for those of us who would like a more stable > provider that doesn't up and change suddenly breaking things. This doesn't make sense. The IdP API has been perfectly stable for a long while now. And I'm not sure CouchDB *as* an IdP makes a whole lot of sense, though of course an IdP could trivially be backed by CouchDB. > Also +1 for better RP support when Persona is 'ready'. I'd contend that free-standing RP support doesn't mean it's better, it's just free-standing. But the assumption that disconnected operation isn't very important to almost all users seems sensible enough to me. Cheers, Dirkjan
