Questions about using FirefoxAccount information

JR Conlin jrconlin at mozilla.com
Wed Nov 13 14:30:48 PST 2013


On 2013/11/13 2:14 PM, Ryan Kelly wrote:
> On 14/11/2013 6:51 AM, JR Conlin wrote:
>> As I understand it, login is performed by a gherkin script on the
>> browser that returns a certificate. The server I'm building is not
>> node.js, so I have a few questions about certificate management:
> 
> At a high level, the login flow from the server's perspective is
> completely identical to the exiting BrowserID login flow (which probably
> explains why we haven't documented it separately):
> 
>   * Client talks to FxA server to obtain an identity certificate
> 
>   * Client uses certificate to sign an identity assertion
> 
>   * Client delivers identity assertion to the server to login
> 
>   * Server verifies the identity assertion and exchanges it for
>     e.g. a session cookie

As noted, I am working on the Where's My Fox server portion.

Just so I'm clear, the current design has two aspects to it:
* A FxOS client
* A server with it's own UI.

The device and server need to coordinate and agree upon the fact that
the user is the correct individual. As I understand, the device could
send the verified certificate UUID (and store it for future use).
Likewise the server could authenticate the cert and fetch the same UUID,
only allowing if the two match. This would prevent the need to exchange
the certificate between the two, correct?


> 
>> 1) Is the certificate sensitive information (should I protect it from
>> inadvertent exposure or is it encrypted such that it's not an issue)?
> 
> Yes it is, but the certificate itself should never leave the client
> device, so the server shouldn't need to worry about it.  Only signed
> identity assertions are seen by the server.

Ah, so possibly a confusion in terminology on my part. I thought that
"certificate" was the new name for the old BrowserID "assertion". If the
previous understanding is correct, however, I need not send the signed
assertion to the server at all.
> 
>> How easy would it be for an unauthorized agent to spoof being a user if
>> they have the certificate?
> 
> They would need the corresponding private key, which doesn't leave the
> client device.

Again, I'll blissfully suppose that my bad terms caused confusion.

> 
>> 2) Is it possible to pass the certificate to a verification service
>> similar to the way that Persona verification worked?
> 
> Yes, in fact you will need to do this in exactly the same way as persona
> verification.  We'll have a separate verifier service, details are being
> hashed out in:
> 
>   https://github.com/mozilla/picl-idp/issues/292
> 
>> 3) While I don't really care about the certificate per se, I do need to
>> generate a unique identifier for a given user and have that identifier
>> match on different devices. Is the certificate unique per machine (e.g.
>> certificates from firefoxos devices are different than certificates from
>> general servers)? Is it possible to generate a user unique identifier
>> from the certificate or it's content?
> 
> FxA will provide you with a "uid" in addition to the user's email.  This
> is a UUID and is intended as a stable user identifier for exactly this
> purpose.
> 
> I'll work on getting some of these details a bit clearer in the wiki.
> 
> And for context for the rest of the list...
> 
>> 0) Is Firefox Accounts ready for use by arbitrary services?
>> Not yet.
> 
> JR's gearing up to work on WheresMyFox, so while the above is good
> advice, it doesn't apply in this case ;-)
> 
> 
>   Cheers,
> 
>     Ryan
> 




More information about the Dev-fxacct mailing list