mozilla / persona Goto Github PK

The first link opens up the second public key

rather than using connect, why not use express? it's a thin layer atop connect that provides additional interesting features.

/wsapi/authenticate should be a POST with an anti-CSRF token

so no need to parse in two places

What if there were a simple experience for using popular identities, or those that don't actually use SMTP? This issue is for the exploration of how integrating first class support into BrowserID for popular networks might look.

key generation takes a while. user feedback is good.

currently the verifier checks with the issuer to ensure that the public key used to sign an assertion is owned by the user. We'll have to change this so that the verifier pulls the issuer's public key(s) and verifies that the assertion is properly signed.

http://cl.ly/09153C2d0o3j0X3c3g45

contact sean if you need a higher-res/different format image

If I go into the status page and "sign out", mentally I'm thinking "forget about this email" - maybe it should be labeled "forget" or "remove", or maybe my mental model is wrong(?)

Because I'm thinking about it as "forget", if I then go to an RP and sign in, it should a) not list that email, and b) require email verification to let me use it to sign in.

this is the low level mechanisms to sign public keys. this must be implemented in the server, and should be sufficiently modular so that it can be packaged as a library/reference implementation for primaries.

hostname, port, etc...

While the user is adding a new email, if the email is from a host who natively supports BrowserID, then the IP should query host-meta to determine the URL of the UI for that support. That UI should be embedded into the window spawned by the IP so that the user can log in.

Part of this is smoothing out the spec to which primaries will author auth code (postMessage? size? etc).

This link seems to purge server based records, but not client based records.

STR:

1. setup browserid, add emails
2. go to https://browserid.org/manage.html
3. click cancel link at bottom of page
4. click ok in modal popup
5. notice that email addresses still appear on page

this should be done with a logout button that comes up in a popup when user doesn't check "remember me on this computer"

We should be able to clearly explain to an entity who offers ID on the web today why supporting browserid is in their best interest, and in the interest of their users.

we need to work with the refresh_url

tell developers that, while they can use anything they like, we'd like it if they used these:

http://cl.ly/09153C2d0o3j0X3c3g45

contact sean if you need them in some other format or whatever.

stand up the verifier code on verifier.browserid.org. This is a server behind strong SSL that lazy RPs can use for a simpler integration.

I wasn't sure whether I needed to do any fancy CSRF protection when I passed the assertion from the user's browser to my server, and Ben Adida said I should. We should probably mention this in the developer guide, no?

we've abused the eyedee.me domain thus far, putting the "implementation provider" and "secondary" on that domain. We should move the implementation provider and secondary onto browserid.org, and eyedee.me will be left as a domain where we can build a sample primary.

There are several cases where I might want to add an email address to my account that is already registered by someone else.

First, perhaps I forgot the password to my account and am re-verifying my emails as I need to use them to log in.

Next, maybe there's a shared email and I want to use it to log into some site, but my colleague (for instance) has already verified it.

At present, we let you get all the way to clicking on the link in your email before failing, at which point you get a non-obvious error message.

That's certainly bogus. In the spirit of how the rest of the system works (i.e. create new account/I forgot my password), I think for initial release we should just let you go all the way through the flow, and take ownership of the single email you're verifying.

Android and iOS. From James Burke:

Android 2.2, Firefox Mobile 4.0.1 on a 7" Galaxy Tab: no messages in
the console about a possible error. I do not see another window in the
list of browser windows either. I tried the example on browserid.org,
but seems to have the same problem. Clicking the button does not show
the browserid window.

iOS 4, Mobile Safari, on iphone: a JavaScript error in the console:
"undefined Channel.build() called without a valid window argument".

Sad, but true.

On https://browserid.org/developers.html, there's a grey sign in button that's promoted for use. However, its foreground and background color have a very small contrast ratio.

Ref: http://juicystudio.com/services/luminositycontrastratio.php

The button has text in #aeaeae, and a background gradient from #9a9a9a to #757575. Even on the darkest side, that's a contrast ratio of 2.08:1, under the 3:1 minimum for big text, and way under the 4.5:1 minimum for small text, like on this button. In less analytical and more human terms, this means it's really hard / impossible to read for people with less-than-perfect eyesight.

Could this button please be replaced with a version with brighter text and/or a darker background? Thanks! :-)

because it's easy to forget your password!

real email confirmation is needed once we move to production server. This will include figuring out portable UX for user feedback manifests upon clicking link in email.

browserid returns an error saying "Payload audience does not match provided audience."

browserid.org should be a friendly and targeted description of the proposal: for users, for developers, and for authorities.

blobastorus is a perfect candidate for a hack that would be better with improved authentication. We should port it to browserid.

there's no need to store plaintext passwords on the server. we should hash them right when they come in.

A beta installation that will serve as a testing target for QA and house weekly trains for a week before push to production.

We should be able to clearly explain to a primary and to an end user why browserid is awesome. This should resonate with a non-technical user and should be backed up by an implemented login flow that is demonstrably better than what the web offers today.

for testing purposes, so I can demo account creation

title says it all.

cause it's awesome

for a little bit of consistency and a slightly better look.

I'm working on a Python-based browserid auth mechanism, and realized that all the major built-in ways of doing HTTPS in Python--via httplib, urllib, and urllib2--offer no way to check the server's cert. This is terrible, and effectively means the communication occurs over HTTP.

Some searches on google yield two particularly interesting links:

• http://bugs.python.org/issue1114345
• http://stackoverflow.com/questions/1087227/validate-ssl-certificates-with-python

Anyhow, it seems doing HTTPS the right way in Python is nontrivial, so it'd be nice if we provided a bit of guidance here, so that folks don't accidentally introduce vulnerabilities into their apps.

Early feedback is that the possibility for value adding primaries which anonymize emails is huge. I think so to.

We should implement anonymizing email support in browserid.org (which means email forwarding, yes it does), and figure out how it would map into the fully distributed system. As well as figuring out the UX bits.

The developer instructions have a verification step written in JS. Unfortunately, many server-side hackers will assume this code is OK (or even expected to) run client-side, particularly if they don't read/skim the text above the code.

I propose a selector so you can see the same code in a few different languages (python, php, js), with the default something other than js. Maybe also call js "node js" or somesuch.

As a low bar, maybe we just rewrite the current code in python.

getVerifiedEmail should not have a separate error function, according to the new spec:

https://wiki.mozilla.org/Identity/Verified_Email_Protocol/Latest

BrowserID is a complicated solution to a real problem. The various actors that it affects are sufficiently different that it is important to develop and refine targeted explanations as to why BrowserID is important.

At the end of this milestone we should have concise, targeted explanations of why BrowserID is important. This excercise will also help focus and prioritize future development.

currently the email is all smashed together, double \n is collapsed into one. This is a mustache "feature" ?

I have no previous account or interaction with the site.

I registered an email, performed the verification, but when the verification switched to the manage page, the newly auth'd id was not listed. Refreshing the page showed the email.

some kind of window channel confusion.

a base level testing plan should be created as a starting point for QA for validating weekly pushes.

/wsapi/set-key should be a post with anti-CSRF protection

Relying parties are sites that use BrowserID. In this milestone we'll take some existing sites and "upgrade" them with browserid support. In the process of building browserid support into real sites we'll be forced to think through the ease of integration and ensure the embedding APIs are sufficiently flexible to afford embedding sites freedom.

The output of this milestone will be a number of sites that use browserid, as well as excellent documentation for how to user browserid in your own site

After this milestone we'll be ready to start using browserid in various experiments and hacks.

if you frequently use an identity for a site, the UI should sort that id to the top of the list and perhaps tell you (id last used for this site 4 days ago)

the data to support this ui can be automatically gathered and need never leave the client.

we'll delay the unverified email use-case until a later time, when we can propose some other API (e.g., part of a getProfile type API).