More on data formats
stomlinson at mozilla.com
Wed Nov 27 01:27:29 PST 2013
On 27/11/2013 09:08, Lloyd Hilaiel wrote:
> They can’t be verifiable without an explicit expression of trust in the issuer. This is because the issuer is other than he who is derived from support document lookup.
> The best thinking around how an RP who wanted to accept both Persona issued assertions and FxA issued assertions would be to invoke the verifier with an explicit expression of trust in firefox accounts. If you don’t express that trust, then you’re persona only.
If an RP expresses their expression of trust in FxA issued assertions,
would the verifier only accept FxA issued assertions, or would they
accept assertions from both FxA and Persona? If the latter, is a user at
greater risk of having their account on the RP controlled since there
are two possible paths a bad actor can use to sign in?
More information about the Dev-fxacct