Questions about using FirefoxAccount information

JR Conlin jrconlin at
Wed Nov 13 11:51:53 PST 2013


I'm building a service that uses Firefox Accounts to log a user in and
associate data to that user. I was unable to discover the answers to
these questions viewing, but will happily read
whatever docs you can point me at.

As I understand it, login is performed by a gherkin script on the
browser that returns a certificate. The server I'm building is not
node.js, so I have a few questions about certificate management:

1) Is the certificate sensitive information (should I protect it from
inadvertent exposure or is it encrypted such that it's not an issue)?
How easy would it be for an unauthorized agent to spoof being a user if
they have the certificate?

2) Is it possible to pass the certificate to a verification service
similar to the way that Persona verification worked?

3) While I don't really care about the certificate per se, I do need to
generate a unique identifier for a given user and have that identifier
match on different devices. Is the certificate unique per machine (e.g.
certificates from firefoxos devices are different than certificates from
general servers)? Is it possible to generate a user unique identifier
from the certificate or it's content?


More information about the Dev-fxacct mailing list