- From: Ben Adida <ben@adida.net>
- Date: Mon, 18 Jul 2011 20:05:25 -0700
- To: jeff@sayremedia.com
- CC: Henry Story <henry.story@bblfish.net>, Tom Scavo <trscavo@gmail.com>, dev-identity@lists.mozilla.org, WebID XG <public-xg-webid@w3.org>
On 7/18/11 7:54 PM, Jeff Sayre wrote: > For those of us that operate our own communications channels -- websites > -- and act as our own email providers, how will the certification of our > own email addresses work under BrowserID? We're working out the details, but roughly: (a) you put up a domain public key in a well-known location at your domain. (b) you use the domain secret key to certify a public key for yourself, bound to your exact email address (c) you publish a web page that makes navigator.id.registerVerifiedEmail() calls to get that certificate registered with your browser (or browserid.org localstorage until the browsers support the API). We'll probably need some tools to make that process easier. In the interim, you can use a secondary authority, though I understand that's not the full solution you want. > It sounds like BrowseID is really geared toward 3rd-party email idP's and > not people like myself. Not at all. It's simply aimed at letting you prove you own your email address. Domains have to do a little bit of work to create the cert chain, but if you're self-hosting it's still very much under your control. > With WebID, I can fully control my identity and act as my own idP. I can > vouch for myself. I do not need a 3rd party, who truly does not know me, > certify me -- whether for free or a fee. I can demonstrate ownership and > control over my domain. Same for BrowserID. > It is then up to others to decide if they wish to > trust me or not. In BrowserID, since all we're doing is certifying email addresses, there's no reason for anyone *not* to trust you. After all, if adida.net is certifying ben@adida.net, what possible reason could an RP have not to trust it? -Ben
Received on Tuesday, 19 July 2011 03:05:52 UTC