668
edits
Changes
→API
=== API ===
A compliant VEP BrowserID User-Agent must implement all the <tt>navigator.id</tt> object, with API calls as described here:.
<tt>navigator.id.getVerifiedEmailget(object options, function callback);</tt>
The Relying Party MAY call the navigator.id.getVerifiedEmail get method when it wishes to request that the User Agent generate an identity assertion as soon as it can. The User Agent SHOULD immediately seek to generate an Identity Assertion, and complete it with appropriate certificates to form a Backed Identity Assertion. This is likely to require prompting the user if it deems it necessary, and call the provided callback with an identity assertion or null User Agent may do this in case whatever way it deems appropriate. The User Agent MUST fire one of two events on the <tt>navigator.id</tt> object: * A <tt>loginCancelled</tt> event if the user chooses chose not to log in. * A <tt>login</tt> event if the user chose to log in. This event MUST include the Backed Identity Assertion in the <tt>assertion</tt> property.
FIXME: should we provide error information if it's not just a user cancel?
};
FIXME: the below needs complete revision
To process a request for identity registration from a web page, a User-Agent MUST:
# Create, if it has not already done so, a local data store that will persist beyond the current page view, keyed on email identity.
# Check the local data store for whether a certificate for the email address already exists and is valid. If so, the User-Agent SHOULD NOT proceed with key generation, and instead immediately call the provided callback to registerVerifiedEmail genKeyPair with a ''null'' argument.
# If no certificate already exists, the User-Agent MAY notify the user that a new email identity is being registered with the User-Agent. If the email identity has a domain that is different from the Identity Authority, the User-Agent SHOULD notify the user and seek confirmation.
# Produce an asymmetric keypair compatible with the JSON Web Key specification [JWK] and store it in the local data store.
# Return the public key to the JavaScript runtime of the web page through the provided callback.
# At a future point, when the registerVerifiedEmailCertificate registerCertificate function is called by a web page, the User Agent MUST verify that the public key in the Identity Certificate matches the already-stored keypair for the email identity in question. If it does not match, the User-Agent SHOULD reject the certificate and (do what?).
# Save the new certificate, as well as the refreshURL and errorURL arguments of the registerVerifiedEmailCertificate function.
