Mozilla BrowserID

John Kemp john at jkemp.net
Wed Jul 20 14:09:21 UTC 2011 

On Jul 20, 2011, at 12:05 AM, Manger, James H wrote:

>>> As for one of the major advantages of BrowserID: it is a user-centric architecture unlike OpenID Connect.
> 
>> Can you explain what you mean by "user-centric" in this context?
> 
> 
> With OAuth2 (and hence OpenID Connect, I assume) the RP needs to be registered with the IdP. It is not user-centric because the user cannot arbitrarily choose an IdP -- they can only choose an IdP with whom the RP is registered, which may well mean only one of a handful of major IdPs.

Oh - I guess I had thought from reading the protocol that I would be required either to choose my email provider as an IdP (only they can verify that I "own" that email address, and assert it reasonably to an RP) or to get browserid.org to verify and assert my email address "on behalf" of my email provider to RPs?

I guess I can always assert my email address to an RP myself, and even create my own POP/SMTP server so that I can back up that assertion with the "verified email protocol" proposed by BrowserID?

But I assume that the value of this protocol is not too different than that proposed value of OpenID (Connect); that is, an IdP will *assert* the email address of a user at the IdP to RPs, and that it will carry weight because of some relationship between the IdP and RP (either because the IdP Is Famous, or because there is a crypto-based relationship, either dynamic -- DH association a la OpenID, or static like the PKI-based solution possible in SAML for example). BrowserID seems to offer the same possibility - https://wiki.mozilla.org/Identity/Verified_Email_Protocol/Latest#Recommended_public_key_discovery_mechanisms - that RPs will validate the IdPs signature over the assertion...

> BrowserID is user-centric in that the RP can verify the signature of whichever email provider the user chooses. It doesn't rely on a prior agreements between the RP and IdP.

I agree with your specific statement - so I won't quibble over whether this is necessarily "user-centric" or not ;)

Cheers,

- John

> 
> --
> James Manger

More information about the specs mailing list