certificate/sign is fundamentally broken and cannot work as it is with existing sync.next plan
Ryan Kelly
rfkelly at mozilla.com
Sun Nov 24 14:40:44 PST 2013
On 23/11/2013 7:30 AM, Nick Alexander wrote:
> Hello team,
>
> certificate/sign now returns a Browser ID certificate certifying a
> public email address [1]. Observe the {"email":"testtestk at ..."} below.
> The private key signing the certificate is not the same as the private
> key of the IdP hosting the email address. (If there even is a
> Persona-style IdP at the appropriate host.)
>
> The existing token server rightly rejects such bullshit certificates
> (and assertions generated from them). This completely breaks the
> proposed sync.next plan.
Sorry Nick - we pushed the client-facing change through in support of
FxOS work, but then got waylaid with broader design questions before
implementing the corresponding server-facing changes.
The original plan was to use a custom verifier that trusts FxA as a
secondary:
https://github.com/mozilla/fxa-auth-server/issues/292
But the details there are still in flux, so:
> On 23/11/2013 10:23 AM, Chris Karlof wrote:
> This change was reverted on the dev server
> (https://api-accounts.dev.lcip.org/) and the latest dev sever.
Thanks Chris!
Cheers,
Ryan
More information about the Dev-fxacct
mailing list