More on data formats

Lloyd Hilaiel lhilaiel at mozilla.com
Wed Nov 20 01:41:33 PST 2013


I love this: https://github.com/djc/id-specs/blob/prod/browserid/json-formats.md

I'm on board with all of these changes.

A couple of thoughts:

1. That an assertion lacks `iat` makes robust date range checking
difficult.  Specifically, it's hard to verify that you don't have an
assertion with a future issue time.  shall we add `iat` to assertion
format?

2. Let's explicitly cover extensibility [1]:

2a. As an IdP I want to embed extra information in the user's
certificate.  where do I put it?
2b. As a user agent, I want to embed extra information in an identity
assertion.  where do I put it?
2c. As an IdP, I want to add information about the (was: principal)
subject of the assertion, do I extend with properties in the sub key?

Note: My motivation here is generating an assertion verification
library that can extract extra properties that are signed, without
having to understand them.

I love this work, djc.  How do others feel about this?

lloyd

[1] http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-17 -
section 4.2 and 4.3 are pretty wild west about private extension
naming.  but the suggestion seems to be to add properties as you
extend.


More information about the Dev-fxacct mailing list