Thoughts on BrowserID

Hi, I just saw http://identity.mozilla.com/post/7616727542/introducing-browserid-a-better-way-to-sign-in

As someone new to this, I found a few things confusing.

First, it would be good to compare it with OpenID. Right now, I can go
to an OpenID site (e.g. sf.net), click the Firefox OpenID toolbar
icon, and be logged in. How will BrowserID improve on that?

Fetching the CA certificate for my email provider rather than sending
my personal identifier to them seems like an advantage over OpenID
(better for privacy), though it looks like this is optional in the
protocol.

The page says that the system is "decentralized". Yet the example site
and the example developer code make heavy use of "browserid.org". It's
hard to tell whether this is just for convenience, or whether there
really is a dependency on it.

browserid.org asks me for a password, which seems strange. I thought I
was logging in using my email provider? I was expecting to validate my
email address and then have a key-pair added to my browser. What is
the extra password for?

Sorry for all the questions.

Thanks,
0
Thomas
7/15/2011 10:44:50 AM
mozilla.dev.identity 1643 articles. 4 followers. Post Follow

3 Replies
203 Views

Similar Articles

[PageSpeed] 46

--AqsLC8rIMeq19msA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Disclaimer: I'm not anyone official, this is just one guy's current=20
understanding, please correct my mistakes.

On Fri, Jul 15, 2011 at 06:40:24AM -0700, Tom Boutell wrote:
> Which, in turn, raises the question of why we should all use=20
> browserid.org and not facebook connect.

browserid.org only exists because your browser and email provider don't=20
support BrowserID yet. Once they do, you never need to see browserid.org=20
again.

The ultimate goal of this system is that your email provider (Primary=20
Identity Authority) will provide a public key that allows relying=20
parties to verify that yes, you actually own that email address you're=20
claiming.

Since no email providers are Primary Identity Authorities yet, we need a=20
Secondary Identity Authority (browser.org) to fill the gap. It's a=20
clever way to sidestep the chicken/egg issue that this system would have=20
otherwise.

--AqsLC8rIMeq19msA
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iEYEARECAAYFAk4f9okACgkQc7m7RB/1A2X61wCdGpSiPYMgGbizf//Ak+1AHEy5
wDkAnjox3N96ofUEoyKswXx6c/4CLaPx
=cWrQ
-----END PGP SIGNATURE-----

--AqsLC8rIMeq19msA--
0
Brendan
7/15/2011 8:12:57 AM
Looks like browserid.org is just another site on which you have an old-scho=
ol account, with your email address as the "username" (thus the need for a =
password). browserid.org does traditional email address verification once, =
and then in future other sites can just authenticate via browserid.org... w=
hich is fine as far as it goes, except as you say we already have openid an=
d openauth, and the only real change here is the idea of having just one lo=
gin site. Which, in turn, raises the question of why we should all use brow=
serid.org and not facebook connect. What are the advantages of browserid.or=
g over the other options? Sure, it seems nonpartisan, but does it have a su=
stainable business plan to cover the enormous traffic levels to be expected=
?
0
Tom
7/15/2011 1:40:24 PM
On 15 Jul., 10:12, Brendan Taylor <whate...@gmail.com> wrote:
> browserid.org only exists because your browser and email provider don't
> support BrowserID yet. Once they do, you never need to see browserid.org
> again.

What's what I think and how I understood it too. There is a mockup
Alex Faarborg on behalf of the Firefox User Experience Team that
show's how BrowserID could be like when it's implemented into firefox:

http://people.mozilla.com/~faaborg/files/projects/firefoxAccount/index.html
0
Falco
7/15/2011 2:30:49 PM
Reply: