certificate/sign is fundamentally broken and cannot work as it is with existing sync.next plan

Ryan Kelly rfkelly at mozilla.com
Sun Nov 24 14:40:44 PST 2013


On 23/11/2013 7:30 AM, Nick Alexander wrote:
> Hello team,
> 
> certificate/sign now returns a Browser ID certificate certifying a
> public email address [1].  Observe the {"email":"testtestk at ..."} below.
>  The private key signing the certificate is not the same as the private
> key of the IdP hosting the email address.  (If there even is a
> Persona-style IdP at the appropriate host.)
> 
> The existing token server rightly rejects such bullshit certificates
> (and assertions generated from them).  This completely breaks the
> proposed sync.next plan.

Sorry Nick - we pushed the client-facing change through in support of
FxOS work, but then got waylaid with broader design questions before
implementing the corresponding server-facing changes.

The original plan was to use a custom verifier that trusts FxA as a
secondary:

  https://github.com/mozilla/fxa-auth-server/issues/292

But the details there are still in flux, so:

> On 23/11/2013 10:23 AM, Chris Karlof wrote:
> This change was reverted on the dev server
> (https://api-accounts.dev.lcip.org/) and the latest dev sever. 

Thanks Chris!


  Cheers,

    Ryan





More information about the Dev-fxacct mailing list