• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Mozilla Identity

R

ragtek

Guest
#1
Do you know about this?
http://identity.mozilla.com/
[COLOR=rgba(0, 0, 0, 0.746094)]Why BrowserID?[/COLOR]
[COLOR=rgba(0, 0, 0, 0.746094)]For a Web developer, creating a new application always involves an annoying hurdle: how do users sign in? An email address with a confirmation step is the classic method, but it demands a user’s time and requires the user to take an extra step and remember another password. Outsourcing login and identity management to large providers like Facebook, Twitter, or Google is an option, but these products also come with lock-in, reliability issues, and data privacy concerns.[/COLOR]
[COLOR=rgba(0, 0, 0, 0.746094)]With BrowserID, there is a better way to sign in. BrowserID implements the /verified email protocol/, which offers a streamlined user experience. A user can prove their ownership of an email address with fewer confirmation messages and without site-specific passwords.[/COLOR]
[COLOR=rgba(0, 0, 0, 0.746094)]BrowserID is:[/COLOR]
I like the idea:)

But it's IMHO just like openid and all other "failed" implementions:D
And bye bye privacy. Then every browser is unique and somebody will be able to track everything:D
 

Forsaken

Well-known member
#2
Do you know about this?
http://identity.mozilla.com/

I like the idea:)

But it's IMHO just like openid and all other "failed" implementions:D
And bye bye privacy. Then every browser is unique and somebody will be able to track everything:D
They're just adding to the fragmentation that already exists.

OpenID was one of the firsts, and both Yahoo and Google forked it rather than using the base system (Understandable in their case, but it has added to the fragmentation already existent with the system).
 
F

Floris

Guest
#3
Yay, ANOTHER method ..

Why isn't everybody just leaning towards one solution so we are done with this nonsense.
I thought all these big companies were about unifying the experience, etc ..
 

Carlos

Well-known member
#5
I think its a lil' confusing for me. I mean - an identity system for browsers? And it requires an e-mail address? o_O
 

Jason

Well-known member
#6
I think its a lil' confusing for me. I mean - an identity system for browsers? And it requires an e-mail address? o_O
Yep, it's yet another identity system. The assumption is that an email address == a unique identity. This is a flawed assumption, imo, but it really is the closes thing we have to a universal identifier on the Internet (and a lot of sites already rely on this). Basically, when both your browser and email provider support BrowserID, you (for example):
  1. log into Gmail
  2. your browser generates a key pair and sends the public key to Gmail
  3. Gmail then signs your public key and sends your browser a cert saying this key is owned by you@gmail.com
  4. When you sign into a site that supports BrowserID, your browser sends the site a message saying "my user is you@gmail.com", which is signed with the private key we generated in step 2
  5. The site looks at the "gmail.com" part and grabs Gmail's public key (the one that signed your public key in step 3) and verifies the signatures.
  6. Now the site knows you control you@gmail.com
So, in essence, it's public key authentication for websites (which already exists, though the UX is horrible), except all sites share one public key and your browser holds the private key (replacing ssh-agent). OpenID is far from ideal, and BrowserID is yet another attempt to solve the same issues. The problem with this is, BrowserID only fixes those issues if it ends up as the only game in town; otherwise, it's just going to be tacked onto the end of a daunting list of other OpenID / BrowserID providers that users will have to choose from.

If you want to read up more on it, http://lloyd.io/how-browserid-works explains all this in more detail and provides some nifty diagrams to illustrate how it works.
 

Sador

Well-known member
#7
Yep, it's yet another identity system. The assumption is that an email address == a unique identity. This is a flawed assumption, imo, but it really is the closes thing we have to a universal identifier on the Internet (and a lot of sites already rely on this). Basically, when both your browser and email provider support BrowserID, you (for example):
  1. log into Gmail
  2. your browser generates a key pair and sends the public key to Gmail
  3. Gmail then signs your public key and sends your browser a cert saying this key is owned by you@gmail.com
  4. When you sign into a site that supports BrowserID, your browser sends the site a message saying "my user is you@gmail.com", which is signed with the private key we generated in step 2
  5. The site looks at the "gmail.com" part and grabs Gmail's public key (the one that signed your public key in step 3) and verifies the signatures.
  6. Now the site knows you control you@gmail.com
So, in essence, it's public key authentication for websites (which already exists, though the UX is horrible), except all sites share one public key and your browser holds the private key (replacing ssh-agent). OpenID is far from ideal, and BrowserID is yet another attempt to solve the same issues. The problem with this is, BrowserID only fixes those issues if it ends up as the only game in town; otherwise, it's just going to be tacked onto the end of a daunting list of other OpenID / BrowserID providers that users will have to choose from.

If you want to read up more on it, http://lloyd.io/how-browserid-works explains all this in more detail and provides some nifty diagrams to illustrate how it works.
Well, that will be fun if you want to login on another computer for whatever reason. Or when your computer breaks down. Or you change browsers...
 

Jason

Well-known member
#8
Well, that will be fun if you want to login on another computer for whatever reason. Or when your computer breaks down. Or you change browsers...
Not sure I get what you're trying to say. Why would using a different computer or browser be a problem? You'd just have an extra step, i.e., re-entering your email address and BrowserID password. Though, then you'd want to make sure you delete the BrowserID cookies if you're not using something like incognito browsing, so others aren't presented with your credentials when trying to use BrowserID themselves.

Personally, I'm not convinced on BrowserID. There's still a few implementation issues they need to figure out, imo.
 
F

Floris

Guest
#9
Not sure I get what you're trying to say. Why would using a different computer or browser be a problem? You'd just have an extra step, i.e., re-entering your email address and BrowserID password. Though, then you'd want to make sure you delete the BrowserID cookies if you're not using something like incognito browsing, so others aren't presented with your credentials when trying to use BrowserID themselves.

Personally, I'm not convinced on BrowserID. There's still a few implementation issues they need to figure out, imo.
He's trying to say he doesn't understand this principle, nor the pros/cons ..