More on data formats
lhilaiel at mozilla.com
Wed Nov 27 01:08:50 PST 2013
On Nov 27, 2013, at 2:13 AM, Luke Howard <lukeh at padl.com> wrote:
> On 27 Nov 2013, at 10:59 am, Ryan Kelly <rfkelly at mozilla.com> wrote:
>> My understanding was that we hoped the distinction between "BrowserID
>> Verifier" and "FxA Verifier" would go away, and leave us with a single
>> instance of "The Verifier".
>> Is this still a goal, and does the proposed assertion format make it
>> easier or harder?
> Are FxA assertions ever going to be consumed by non-Mozilla RPs? If so, there's an argument for putting the UUID in a separate JWT claim from that containing the email*, so they are still verifiable BrowserID assertions.
They can’t be verifiable without an explicit expression of trust in the issuer. This is because the issuer is other than he who is derived from support document lookup.
The best thinking around how an RP who wanted to accept both Persona issued assertions and FxA issued assertions would be to invoke the verifier with an explicit expression of trust in firefox accounts. If you don’t express that trust, then you’re persona only.
For local verification, the same notion applies.
> Forgive me if this has been covered before.
> -- Luke
> * by email address, I mean RFC822-like account identifier
> Dev-fxacct mailing list
> Dev-fxacct at mozilla.org
More information about the Dev-fxacct