Questions about using FirefoxAccount information

Sam Penrose spenrose at
Wed Nov 13 14:09:24 PST 2013

Hey JR --

I'm not the right person to answer these, but I hate seeing a fellow left hanging, so I'm going to give it a shot. Let's start with a question you didn't ask.

0) Is Firefox Accounts ready for use by arbitrary services?
Not yet.

----- Original Message -----
From: "JR Conlin" <jrconlin at>
To: dev-fxacct at
Sent: Wednesday, November 13, 2013 11:51:53 AM
Subject: Questions about using FirefoxAccount information


I'm building a service that uses Firefox Accounts to log a user in and
associate data to that user. I was unable to discover the answers to
these questions viewing, but will happily read
whatever docs you can point me at.

As I understand it, login is performed by a gherkin script on the
browser that returns a certificate. The server I'm building is not
node.js, so I have a few questions about certificate management:

1) Is the certificate sensitive information (should I protect it from
inadvertent exposure or is it encrypted such that it's not an issue)?
How easy would it be for an unauthorized agent to spoof being a user if
they have the certificate?

Yes, the certificate says "I,, verify that this user agent owns the Firefox Account tied to this email address for this audience." You should not share that, although I believe the only (main?) threat is in the context of your service.

2) Is it possible to pass the certificate to a verification service
similar to the way that Persona verification worked?

We're going to stand one up for assertions generated by the certificate. See

3) While I don't really care about the certificate per se, I do need to
generate a unique identifier for a given user and have that identifier
match on different devices. Is the certificate unique per machine (e.g.
certificates from firefoxos devices are different than certificates from
general servers)? Is it possible to generate a user unique identifier
from the certificate or it's content?

The system allows you to certificate (verb) the user's email address as unique for the purpose of Firefox Accounts.

Dev-fxacct mailing list
Dev-fxacct at

More information about the Dev-fxacct mailing list