couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Smith <>
Subject Re: Persona and BrowserID integration
Date Mon, 29 Jul 2013 10:02:27 GMT
Thanks Dirkjan (and Jan).

Yes, so the first milestone is definitely a standard RP mode working
against's web services.

To clarify, "tinfoil hat" mode is actually just a complete
implementation of the RP role, notably that it does not require the
POST to to verify an assertion. Thus, CouchDB
could be used on an intranet where an existing IdP exists. The IdP is
out of scope, but I expect to install one to test CouchDB when that
time comes.

Tinfoil hat mode is perfectly cromulent, I just called it that due to
recent news about wiretaps and that stuff.

On Mon, Jul 29, 2013 at 4:03 PM, Dirkjan Ochtman <> wrote:
> On Mon, Jul 29, 2013 at 6:13 AM, Jason Smith <> wrote:
>> Thanks, Jim. That is basically my plan. To be clear, I would ship
>> "outsourced mode" ( hosted JavaScript and verification)
>> in a CouchDB release. It's just that I would work to get "tinfoil hat
>> mode" added in for a subsequent release. Outsourced mode already
>> exists (modulo a rewrite and unit tests) as a plugin, but I want to
>> merge it in.
> Running the verification inside CouchDB is very sane. It looks like
> local verification will be the recommended approach anyway in the near
> future.
>> I am not sure if I understand you exactly. Persona is a three-party
>> protocol between users, relying parties (RPs) and identity providers
>> (IdPs). I am talking about RP support for CouchDB. AFAIK there is a
>> bit of mere-mortal cypto to do but it does not require IdP support.
> Your tinfoil hat mode is a bit weird. If you're doing disconnected
> operation, you can only connect to Identity Providers inside the LAN,
> so general RP support becomes impossible, so it's a pretty crippled
> setup.
> Cheers,
> Dirkjan


View raw message