lhilaiel at mozilla.com
Wed Jan 15 08:06:45 PST 2014
At present the new browserid-verifier codebase is ready for integration.
API documentation: https://github.com/mozilla/browserid-verifier
Hosted API endpoint (development only): https://verifier.mozcloud.org/v2
Note: This integration environment is two m1.small instances behind an ELB, for a little bit more reality.
FxA assertion formats can now be upgraded, here is a description of most of the changes:
1. we use un-padded base64url encoding *everywhere* now
2. principal.email is now “sub”
3. “sub” need not be a valid email address (note the trustedIssuers argument to the verifier above)
4. all times should be represented in seconds from epoch instead of ms
5. keys are serialized with a top level `kty` key (key type) instead of `algorithm`
6. s/RS/RSA/ && s/DS/DSA/
Who on the FxA side can take a look at this today and assess the work to migrate?
I believe there are multiple little projects to track here:
1. (lloyd with ops help) deploy new verifier (milestones this week, next week, and the week after?)
2. (???) migrate data formats in native code (target next week?)
Hows this look?
More information about the Dev-fxacct