verifier status

Lloyd Hilaiel lhilaiel at
Wed Jan 15 08:06:45 PST 2014

Yo all,

At present the new browserid-verifier codebase is ready for integration.  

API documentation:

Hosted API endpoint (development only):

Note: This integration environment is two m1.small instances behind an ELB, for a little bit more reality.

FxA assertion formats can now be upgraded, here is a description of most of the changes:

1. we use un-padded base64url encoding *everywhere* now
2. is now “sub”
3. “sub” need not be a valid email address (note the trustedIssuers argument to the verifier above)
4. all times should be represented in seconds from epoch instead of ms
5. keys are serialized with a top level `kty` key (key type) instead of `algorithm`
6. s/RS/RSA/ && s/DS/DSA/

Who on the FxA side can take a look at this today and assess the work to migrate?

I believe there are multiple little projects to track here:
1. (lloyd with ops help) deploy new verifier (milestones this week, next week, and the week after?)
2. (???) migrate data formats in native code (target next week?)

Hows this look?


More information about the Dev-fxacct mailing list