More on data formats

Ryan Kelly rfkelly at
Tue Nov 26 15:59:04 PST 2013

On 27/11/2013 10:52 AM, Brian Warner wrote:
> On Tue, Nov 26, 2013 at 6:54 PM, Chris Karlof <ckarlof at> wrote:
>> It's nice if there is a simple explicit way of knowing how the sub
>> field should be interpreted. sub as URI helps with that.
> In particular, a BrowserID verifier is going to start with jwt.sub,
> treat it as an email, extract the domain, use that to decide what's an
> acceptable issuer, check jwt.iss against that list, then fetch the
> pubkey from DOMAIN/.well-known/browserid, then check the signature.
> The FxA verifier will start with jwt.sub, treat it as a uuid, assert
> that jwt.iss equals a baked-in issuer like "", fetch
> the pubkey, and check the signature.

My understanding was that we hoped the distinction between "BrowserID
Verifier" and "FxA Verifier" would go away, and leave us with a single
instance of "The Verifier".

Is this still a goal, and does the proposed assertion format make it
easier or harder?



More information about the Dev-fxacct mailing list