Mozilla BrowserID

Nat Sakimura sakimura at gmail.com
Sun Jul 17 05:12:16 UTC 2011 

This is a good article, though I can cone up with a few more concerns.

"What are the downsides of BrowserID compared to OpenID/OAuth/Facebook? 6
useful questions that need answers.  http://j.mp/rcRC5h #browserid"

=nat via iPhone

On 2011/07/17, at 8:44, John Bradley <john.bradley at wingaa.com> wrote:

I posted this to the specs-ab list earlier today.

Links for those that haven't looked yet.


https://browserid.org/

http://arstechnica.com/web/news/2011/07/mozillas-browserid-aims-to-simplify-authentication-on-the-web.ars


They are using asymmetrically signed JWT with an introspection endpoint.

There are limitations on attributes, identifiers and other serious issues
with what Mozzila is proposing.

Though it is relatively close to what Nat and I were thinking with
asymmetrically signed id_tokens, and a introspection endpoint.

In some ways our flow would be simpler if the id_tokens were always
asymmetrically signed and anyone not supporting that uses the introspection
endpoint, as they propose.

If the RP doesn't understand asymmetric signatures it just throws to the
introspection endpoint.
The big advantage is for smart clients.  They would not need to manage
shared secrets to validate tokens.

For a smart client I suppose that you could let it generate it's own access
tokens if those access tokens are JWT and they wrap a JWT containing the
client's public key and some scope constraints etc.   In principal that
could lower the IdP's authorization load.  It could also be a way to prevent
the IdP from knowing who the RP is in the simple SSO case.

If the browser supports asymmetric keys securely (they are using html5 local
storage keyed to a trusted domain) you could have the smart client provide
it's public key to the OP and have a assertion without an audience generated
and signed.   The client would then over-sign with an audience.  (some
potential size issues with double base46 encoding)

Just some things to think about.

John B.


On 2011-07-16, at 9:25 AM, David Recordon wrote:

Thoughts?

http://identity.mozilla.com/post/7669886219/how-browserid-differs-from-openid
_______________________________________________
specs mailing list
specs at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs


_______________________________________________
specs mailing list
specs at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20110717/764eb04a/attachment.html>

More information about the specs mailing list