More on data formats

Shane Tomlinson stomlinson at mozilla.com
Wed Nov 27 01:27:29 PST 2013


On 27/11/2013 09:08, Lloyd Hilaiel wrote:
> They can’t be verifiable without an explicit expression of trust in the issuer.  This is because the issuer is other than he who is derived from support document lookup.
>
> The best thinking around how an RP who wanted to accept both Persona issued assertions and FxA issued assertions would be to invoke the verifier with an explicit expression of trust in firefox accounts.  If you don’t express that trust, then you’re persona only.


If an RP expresses their expression of trust in FxA issued assertions, 
would the verifier only accept FxA issued assertions, or would they 
accept assertions from both FxA and Persona? If the latter, is a user at 
greater risk of having their account on the RP controlled since there 
are two possible paths a bad actor can use to sign in?

Shane



More information about the Dev-fxacct mailing list