<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>This change was reverted on the dev server (<span style="font-size: 12px; color: rgb(51, 51, 51); line-height: 19px; "><a href="https://api-accounts.dev.lcip.org/">https://api-accounts.dev.lcip.org/</a>) and the latest dev sever. </span></div><div><span style="font-size: 12px; color: rgb(51, 51, 51); line-height: 19px; "><br></span></div><div><span style="font-size: 12px; color: rgb(51, 51, 51); line-height: 19px; ">It should now be emitting certs with principal: { email: <uid>@<server domain> }.</span></div><div><span style="font-size: 12px; color: rgb(51, 51, 51); line-height: 19px; "><br></span></div><div><span style="font-size: 12px; color: rgb(51, 51, 51); line-height: 19px; ">Sorry Nick. The original change was done to support a FxOS sprint and was clearly pushed too hastily. The formatting of the signed certificates will likely change in the future, but will be deployed to dev servers more thoughtfully and in better coordination with the existing verifiers. </span></div><div><span style="font-size: 12px; color: rgb(51, 51, 51); line-height: 19px; "><br></span></div><div><span style="font-size: 12px; color: rgb(51, 51, 51); line-height: 19px; ">I encourage everyone to follow and participate in the discussion:</span></div><div><span style="font-size: 12px; color: rgb(51, 51, 51); line-height: 19px; "><br></span></div><div><a href="https://groups.google.com/forum/#!topic/mozilla.dev.identity/1ecTUrOFzbQ">https://groups.google.com/forum/#!topic/mozilla.dev.identity/1ecTUrOFzbQ</a></div><div><span style="font-size: 12px; color: rgb(51, 51, 51); line-height: 19px; "><br></span></div><div><span style="font-size: 12px; color: rgb(51, 51, 51); line-height: 19px; ">-chris</span></div><div><span style="font-size: 12px; color: rgb(51, 51, 51); line-height: 19px; "><br></span></div><br><div><div>On Nov 22, 2013, at 12:30 PM, Nick Alexander <<a href="mailto:nalexander@mozilla.com">nalexander@mozilla.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Hello team,<br><br>certificate/sign now returns a Browser ID certificate certifying a public email address [1].  Observe the {"email":"testtestk@..."} below.  The private key signing the certificate is not the same as the private key of the IdP hosting the email address.  (If there even is a<br>Persona-style IdP at the appropriate host.)<br><br>The existing token server rightly rejects such bullshit certificates (and assertions generated from them).  This completely breaks the proposed sync.next plan.<br><br>I am going on PTO for 2 weeks and can't escalate this any further.<br><br>Nick<br><br>[1] long example:<br><br>Assertion from server login was:<br><br>eyJhbGciOiJSUzI1NiJ9.eyJwdWJsaWMta2V5Ijp7ImFsZ29yaXRobSI6IkRTIiwieSI6IjYxNDg5MzRlODQxNTczOTI0NmE5ODc2ZTc5YjI2YjczNDRkMjAzYzZlNTY2ZTgyMWQwNjgwYjQ4MmYwOGI5MDEzZmNkM2ZjNDA4OTFmMDg1ZDBmY2M1YjU3YmViZWFmOGZiMTg3ZmI2YjNiNGU2NDJhZGIzNDMxZWEyYTM0MmYwNWE4MTg4ZDhjY2ZhY2E3MzliMzcwOTBhMzhhZjdkNDM4ZjRkMmNjY2Q1Njg5M2RjYjA2MWI1MjYwMjc4OWQzMzAwYWNmYWY3ZDM0Mzc4YTdhNGVkYjNmOTM1MzNjYTRkM2M2YmI2ZDYyNjUyYzUwMjM3MWFlNzRhNDk4YzEzZTM3MzQwYTlmYWU1ZGRjZDBkYmUwNTdiMjY1MmM5MWEyMDc0OTcwNmY4ZTI4OWJiYjE4ODMxZDJkYjcwMDEwOGU4OTMxZTBlNWE1ZGYxOGI3NmFlMmQ1MjBhMGQ1YTlkYTc0NWU5YTEzNjgxNDQzMTg4NzRmNDE1OWIzNjM0MGVjNGRjNzdlYTgzNGY3YWVhZWU2YjU3ODJlNzU4NWZkNmZjMTFkYmMzMjMxMmJhNDk4MTE1M2YyYjg1NzkxZWU2YzIxODllNjkzMTVmZWNhN2QwNDQ1NTE0NGZmOTk4Mzc2ZDk2NmQ5OWQyNmVjMTM0ZjlhOTcxNzgwYmFlYTBiOTNlIiwicCI6ImQ2YzRlNTA0NTY5Nzc1NmM3YTMxMmQwMmMyMjg5YzI1ZDQwZjk5NTQyNjFmN2I1ODc2MjE0YjZkZjEwOWM3MzhiNzYyMjZiMTk5YmI3ZTMzZjhmYzdhYzFkY2MzMTZlMWU3Yzc4OTczOTUxYmZjNmZmMmUwMGNjOTg3Y2Q3NmZjZmIwYjhjMDA5NmIwYjQ2MGZmZmFjOTYwY2E0MTM2YzI4ZjRiZmI1ODBkZ<br>TQ3Y2Y3ZT<br>c5MzRjMzk4NWUzYjNkOTQzYjc3ZjA2ZWYyYWYzYWMzNDk0ZmMzYzZmYzQ5ODEwYTYzODUzODYyYTAyYmIxYzgyNGEwMWI3ZmM2ODhlNDAyODUyN2E1OGFkNThjOWQ1MTI5MjI2NjBkYjVkNTA1YmMyNjNhZjI5M2JjOTNiY2Q2ZDg4NWExNTc1NzlkN2Y1Mjk1MjIzNmRkOWQwNmE0ZmMzYmMyMjQ3ZDIxZjFhNzBmNTg0OGViMDE3NjUxMzUzN2M5ODNmNWEzNjczN2YwMWY4MmI0NDU0NmU4ZTdmMGZhYmM0NTdlM2RlMWQ5YzVkYmE5Njk2NWIxMGEyYTA1ODBiMGFkMGY4ODE3OWUxMDA2NjEwN2ZiNzQzMTRhMDdlNjc0NTg2M2JjNzk3YjcwMDJlYmVjMGIwMDBhOThlYjY5NzQxNDcwOWFjMTdiNDAxIiwicSI6ImIxZTM3MGY2NDcyYzg3NTRjY2Q3NWU5OTY2NmVjOGVmMWZkNzQ4Yjc0OGJiYmMwODUwM2Q4MmNlODA1NWFiM2IiLCJnIjoiOWE4MjY5YWIyZTNiNzMzYTUyNDIxNzlkOGY4ZGRiMTdmZjkzMjk3ZDllYWIwMDM3NmRiMjExYTIyYjE5Yzg1NGRmYTgwMTY2ZGYyMTMyY2JjNTFmYjIyNGIwOTA0YWJiMjJkYTJjN2I3ODUwZjc4MjEyNGNiNTc1YjExNmY0MWVhN2M0ZmM3NWIxZDc3NTI1MjA0Y2Q3YzIzYTE1OTk5MDA0YzIzY2RlYjcyMzU5ZWU3NGU4ODZhMWRkZTc4NTVhZTA1ZmU4NDc0NDdkMGE2ODA1OTAwMmMzODE5YTc1ZGM3ZGNiYjMwZTM5ZWZhYzM2ZTA3ZTJjNDA0YjdjYTk4YjI2M2IyNWZhMzE0YmE5M2MwNjI1NzE4YmQ0ODljZWE2ZDA0YmE0YjBiN2YxNTZlZWI0YzU2YzQ0YjUwZTRmYjViY2U5ZDdhZTBk<br>NTViMzc5M<br>jI1ZmViMDIxNGEwNGJlZDcyZjMzZTA2NjRkMjkwZTdjODQwZGYzZTJhYmI1ZTQ4MTg5ZmE0ZTkwNjQ2ZjE4NjdkYjI4OWM2NTYwNDc2Nzk5ZjdiZTg0MjBhNmRjMDFkMDc4ZGU0MzdmMjgwZmZmMmQ3ZGRmMTI0OGQ1NmUxYTU0YjkzM2E0MTYyOWQ2YzI1Mjk4M2M1ODc5NTEwNTgwMmQzMGQ3YmNkODE5Y2Y2ZWYifSwicHJpbmNpcGFsIjp7ImVtYWlsIjoidGVzdHRlc3RrQG1vY2tteWlkLmNvbSIsInVpZCI6ImM1Njg0YThjLWVkMGItNDIxMy1iZTgyLTNmODU5NGE0Njc0OSJ9LCJpYXQiOjEzODUxNTA0MjcyODMsImV4cCI6MTM4NTE4MTk2MzI4MywiaXNzIjoiYXBpLWFjY291bnRzLmRldi5sY2lwLm9yZyJ9.as9_EJQlE_JD_kwTKtdrRq4eSh9DW9lyzZlMvD4YsNJNEswbKmG0AUKXYsVUEZ1wY0tAFkelgs7fojKkD52p5bIVu-s-PH6y765qruyQ22JPy5DLBl_by-WAeAQybTHRjJs4LefEeMOYnvFztA2TCXQO1Rzm1dVlmLn5xmsxDoCG-H-IYJFvQgUkmxcSNbAFfF9BiNnxN_-LcMO82BTlh1xzQYGb2bVejE5T7vyOy1kcqWxu83bBgPupnKs9n88JT3_TpKFqkrQe1_lXNmH06OzCBY1nCZEiwLHgTr1Crt3i-WddrUS6WAKEXz9Tcnbhw0v85HXD8uClqPdCxV_MDA~eyJhbGciOiJEUzI1NiJ9.eyJleHAiOjE0MTY2ODY0MjczMzYsImF1ZCI6Imh0dHA6Ly9hdXRoLm9sZHN5bmMuZGV2LmxjaXAub3JnIn0.M5EAfpr3YqxO6vHLyoGwvGENsi9slld1ZpU2POy6QE9J1fgPCgtXY3r_P5x0_qHjd8IvQsvhKD92Z-fz0_<br>bAZA<br><br>Corresponds to:<br><br>certificate header:    {"alg":"RS256"}<br>certificate payload: {"public-key":{"algorithm":"DS","y":"6148934e8415739246a9876e79b26b7344d203c6e566e821d0680b482f08b9013fcd3fc40891f085d0fcc5b57bebeaf8fb187fb6b3b4e642adb3431ea2a342f05a8188d8ccfaca739b37090a38af7d438f4d2cccd56893dcb061b52602789d3300acfaf7d34378a7a4edb3f93533ca4d3c6bb6d62652c502371ae74a498c13e37340a9fae5ddcd0dbe057b2652c91a20749706f8e289bbb18831d2db700108e8931e0e5a5df18b76ae2d520a0d5a9da745e9a1368144318874f4159b36340ec4dc77ea834f7aeaee6b5782e7585fd6fc11dbc32312ba4981153f2b85791ee6c2189e69315feca7d04455144ff998376d966d99d26ec134f9a971780baea0b93e","p":"d6c4e5045697756c7a312d02c2289c25d40f9954261f7b5876214b6df109c738b76226b199bb7e33f8fc7ac1dcc316e1e7c78973951bfc6ff2e00cc987cd76fcfb0b8c0096b0b460fffac960ca4136c28f4bfb580de47cf7e7934c3985e3b3d943b77f06ef2af3ac3494fc3c6fc49810a63853862a02bb1c824a01b7fc688e4028527a58ad58c9d512922660db5d505bc263af293bc93bcd6d885a157579d7f52952236dd9d06a4fc3bc2247d21f1a70f5848eb0176513537c983f5a36737f01f82b44546e8e7f0fabc457e3de1d9c5dba96965b10a2a0580b<br>0ad0f8817<br>9e10066107fb74314a07e6745863bc797b7002ebec0b000a98eb697414709ac17b401","q":"b1e370f6472c8754ccd75e99666ec8ef1fd748b748bbbc08503d82ce8055ab3b","g":"9a8269ab2e3b733a5242179d8f8ddb17ff93297d9eab00376db211a22b19c854dfa80166df2132cbc51fb224b0904abb22da2c7b7850f782124cb575b116f41ea7c4fc75b1d77525204cd7c23a15999004c23cdeb72359ee74e886a1dde7855ae05fe847447d0a68059002c3819a75dc7dcbb30e39efac36e07e2c404b7ca98b263b25fa314ba93c0625718bd489cea6d04ba4b0b7f156eeb4c56c44b50e4fb5bce9d7ae0d55b379225feb0214a04bed72f33e0664d290e7c840df3e2abb5e48189fa4e90646f1867db289c6560476799f7be8420a6dc01d078de437f280fff2d7ddf1248d56e1a54b933a41629d6c252983c58795105802d30d7bcd819cf6ef"},"principal":{"email":"<a href="mailto:testtestk@mockmyid.com">testtestk@mockmyid.com</a>","uid":"c5684a8c-ed0b-4213-be82-3f8594a46749"},"iat":1385150427283,"exp":1385181963283,"iss":"<a href="http://api-accounts.dev.lcip.org">api-accounts.dev.lcip.org</a>"}<br>certificate signature: 6acf7f10942513f243fe4c132ad76b46ae1e4a1f435bd972cd994cbc3e18b0d24d12cc1b2a61b401429762c554119d70634b401647a582cedfa232a40f9da9e5b215bbeb3e3c7eb2efae6aaeec90db624fcb90cb065fdbcbe5807804326d31d18c9b382de7c478c3989ef173b40d9309740ed51ce6d5d56598b9f9c66b310e8086f87f8860916f4205249b171235b0057c5f4188d9f137ff8b70c3bcd814e5875c7341819bd9b55e8c4e53eefc8ecb591ca96c6ef376c180fba99cab3d9fcf094f7fd3a4a16a92b41ed7f9573661f4e8ecc2058d67099122c0b1e04ebd42aedde2f9675dad44ba5802845f3f537276e1c34bfce475c3f2e0a5a8f742c55fcc0c<br>assertion   header:    {"alg":"DS256"}<br>assertion   payload: {"exp":1416686427336,"aud":"<a href="http://auth.oldsync.dev.lcip.org">http://auth.oldsync.dev.lcip.org</a>"}<br>assertion   signature: 3391007e9af762ac4eeaf1cbca81b0bc610db22f6c9657756695363cecba404f49d5f80f0a0b57637aff3f9c74fea1e377c22f42cbe1283f7667e7f3d3f6c064<br><br>_______________________________________________<br>Dev-fxacct mailing list<br><a href="mailto:Dev-fxacct@mozilla.org">Dev-fxacct@mozilla.org</a><br>https://mail.mozilla.org/listinfo/dev-fxacct<br></blockquote></div><br></body></html>