More on data formats

Lloyd Hilaiel lhilaiel at
Wed Nov 27 01:08:50 PST 2013

On Nov 27, 2013, at 2:13 AM, Luke Howard <lukeh at> wrote:

> On 27 Nov 2013, at 10:59 am, Ryan Kelly <rfkelly at> wrote:
>> My understanding was that we hoped the distinction between "BrowserID
>> Verifier" and "FxA Verifier" would go away, and leave us with a single
>> instance of "The Verifier".
>> Is this still a goal, and does the proposed assertion format make it
>> easier or harder?
> Are FxA assertions ever going to be consumed by non-Mozilla RPs? If so, there's an argument for putting the UUID in a separate JWT claim from that containing the email*, so they are still verifiable BrowserID assertions.

They can’t be verifiable without an explicit expression of trust in the issuer.  This is because the issuer is other than he who is derived from support document lookup.

The best thinking around how an RP who wanted to accept both Persona issued assertions and FxA issued assertions would be to invoke the verifier with an explicit expression of trust in firefox accounts.  If you don’t express that trust, then you’re persona only.  

For local verification, the same notion applies.

Make sense?

> Forgive me if this has been covered before.
> -- Luke
> * by email address, I mean RFC822-like account identifier
> _______________________________________________
> Dev-fxacct mailing list
> Dev-fxacct at

More information about the Dev-fxacct mailing list