Questions about using FirefoxAccount information

Lloyd Hilaiel lhilaiel at
Thu Nov 14 00:37:51 PST 2013

On Nov 14, 2013, at 12:14 AM, Ryan Kelly <rfkelly at> wrote:

>> 1) Is the certificate sensitive information (should I protect it from
>> inadvertent exposure or is it encrypted such that it's not an issue)?
> Yes it is, but the certificate itself should never leave the client
> device, so the server shouldn't need to worry about it.  Only signed
> identity assertions are seen by the server.

The certificate itself is embedded in every assertion it leaves the client device every time you sign in.  It is only the private key that should never leave the client device.

More information about the Dev-fxacct mailing list