couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirkjan Ochtman <dirk...@ochtman.nl>
Subject Re: Persona and BrowserID integration
Date Mon, 29 Jul 2013 15:38:16 GMT
On Mon, Jul 29, 2013 at 5:26 PM, Jim Klo <jim.klo@sri.com> wrote:
> Right.  The key difference from other 3-party solutions is that, once the BrowserID protocol
is up and running with a really stable release, Identity verification should be untraceable
by the IdP. BrowserID uses a model where the client generates public key material and asks
their IdP to validate and countersign an assertion and hand back to them a signed response.
 The client then hands that signed response over the the RP from which the only thing the
RP should have to do is validate the countersigning done by the IdP using the IdP's well known
public certificate.

Identity verification should be untraceable by the IdP in the current
setup as well.

> The challenge really is while they have their spec stored in GitHub… the protocol itself
isn't well versioned IMO in that it doesn't advertise the running version and there's no way
to interoperate with a specific version of the protocol AFAIK. Thus keeping RP implementations
in sync with production is a royal PITA - resulting in versions of the current CouchDB plugin
breaking all of a sudden because Mozilla changed something and theres no way to request the
old version of the protocol hence validation done on the RP side breaks..

Protocol versioning is one of the remaining goals, it will be done.
But you're still pretty vague here about versioning and how things
break. AFAICT, the actual recommended RP API has changed a few times,
but the old versions are still supported, so nothing is broken on that
side. What might have been broken is the shim implementation of the
DOM/UA handling of RP/IdP intermediary, but that Mozilla has AFAIK
always said that that part has not been stabilized, and this is the
reason you shouldn't fork your own include.js.

> I was just +1 that if someone wanted to build IdP support for Persona/BrowserID into
CouchDB - for those of us who would like a more stable provider that doesn't up and change
suddenly breaking things.

This doesn't make sense. The IdP API has been perfectly stable for a
long while now. And I'm not sure CouchDB *as* an IdP makes a whole lot
of sense, though of course an IdP could trivially be backed by
CouchDB.

> Also +1 for better RP support when Persona is 'ready'.

I'd contend that free-standing RP support doesn't mean it's better,
it's just free-standing. But the assumption that disconnected
operation isn't very important to almost all users seems sensible
enough to me.

Cheers,

Dirkjan

Mime
View raw message