W3C home > Mailing lists > Public > public-xg-webid@w3.org > July 2011

Re: Browser ID, WebID & URLs

From: Ben Adida <ben@adida.net>
Date: Mon, 18 Jul 2011 20:05:25 -0700
Message-ID: <4E24F475.40809@adida.net>
To: jeff@sayremedia.com
CC: Henry Story <henry.story@bblfish.net>, Tom Scavo <trscavo@gmail.com>, dev-identity@lists.mozilla.org, WebID XG <public-xg-webid@w3.org>
On 7/18/11 7:54 PM, Jeff Sayre wrote:
> For those of us that operate our own communications channels -- websites
> -- and act as our own email providers, how will the certification of our
> own email addresses work under BrowserID?

We're working out the details, but roughly:

(a) you put up a domain public key in a well-known location at your domain.

(b) you use the domain secret key to certify a public key for yourself,
bound to your exact email address

(c) you publish a web page that makes
navigator.id.registerVerifiedEmail() calls to get that certificate
registered with your browser (or browserid.org localstorage until the
browsers support the API).

We'll probably need some tools to make that process easier. In the
interim, you can use a secondary authority, though I understand that's
not the full solution you want.

> It sounds like BrowseID is really geared toward 3rd-party email idP's and
> not people like myself.

Not at all. It's simply aimed at letting you prove you own your email
address. Domains have to do a little bit of work to create the cert
chain, but if you're self-hosting it's still very much under your control.

> With WebID, I can fully control my identity and act as my own idP. I can
> vouch for myself. I do not need a 3rd party, who truly does not know me,
> certify me -- whether for free or a fee. I can demonstrate ownership and
> control over my domain.

Same for BrowserID.

> It is then up to others to decide if they wish to
> trust me or not.

In BrowserID, since all we're doing is certifying email addresses,
there's no reason for anyone *not* to trust you. After all, if adida.net
is certifying ben@adida.net, what possible reason could an RP have not
to trust it?

-Ben
Received on Tuesday, 19 July 2011 03:05:52 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:25 UTC