verifier status

Lloyd Hilaiel lhilaiel at mozilla.com
Wed Jan 15 08:06:45 PST 2014


Yo all,

At present the new browserid-verifier codebase is ready for integration.  

API documentation: https://github.com/mozilla/browserid-verifier

Hosted API endpoint (development only): https://verifier.mozcloud.org/v2

Note: This integration environment is two m1.small instances behind an ELB, for a little bit more reality.

FxA assertion formats can now be upgraded, here is a description of most of the changes:

1. we use un-padded base64url encoding *everywhere* now
2. principal.email is now “sub”
3. “sub” need not be a valid email address (note the trustedIssuers argument to the verifier above)
4. all times should be represented in seconds from epoch instead of ms
5. keys are serialized with a top level `kty` key (key type) instead of `algorithm`
6. s/RS/RSA/ && s/DS/DSA/

Who on the FxA side can take a look at this today and assess the work to migrate?

I believe there are multiple little projects to track here:
1. (lloyd with ops help) deploy new verifier (milestones this week, next week, and the week after?)
2. (???) migrate data formats in native code (target next week?)

Hows this look?

<3,
lloyd





More information about the Dev-fxacct mailing list