Questions about using FirefoxAccount information

Ryan Kelly rfkelly at
Thu Nov 14 02:40:16 PST 2013

On 14/11/2013 7:37 PM, Lloyd Hilaiel wrote:
> On Nov 14, 2013, at 12:14 AM, Ryan Kelly <rfkelly at> wrote:
>>> 1) Is the certificate sensitive information (should I protect it from
>>> inadvertent exposure or is it encrypted such that it's not an issue)?
>> Yes it is, but the certificate itself should never leave the client
>> device, so the server shouldn't need to worry about it.  Only signed
>> identity assertions are seen by the server.
> The certificate itself is embedded in every assertion it leaves the client device every time you sign in.  It is only the private key that should never leave the client device.

Indeed, this is a sloppy confusion of terms on my part.  Is there a
canonical reference for all the moving parts in the BrowserID protocol,
which we should link from the FxA documentation?

This page sounded like exactly what we need:

But it's more about project names than technical terminology at the moment.


More information about the Dev-fxacct mailing list