Identity/BrowserID: Difference between revisions

Jump to navigation Jump to search

Identity/BrowserID (view source)

Revision as of 19:22, 19 January 2012

481 bytes added ,  19 January 2012
→‎Assertion Verification
Line 254: Line 254:
== Assertion Verification ==
== Assertion Verification ==


Identity Assertions MUST NOT be verified in the client, in JavaScript or otherwise, since client runtimes may be altered to circumvent such verification. Instead, Identity Assertions SHOULD be sent to a trusted server for verification.
Backed Identity Assertions SHOULD NOT be verified in the client, in JavaScript or otherwise, since client runtimes may be altered to circumvent such verification. Instead, Backed Identity Assertions SHOULD be sent to a trusted server for verification.


To verify an Identity Assertion, a Relying Party MUST perform the following checks:
To verify a Backed Identity Assertion, a Relying Party SHOULD perform the following checks:
# If the valid-until date of the assertion is earlier than the current time, the assertion has expired and must be rejected.
# If the <tt>exp</tt> date of the assertion is earlier than the current time by more than a certain interval, the assertion has expired and must be rejected. A Relying Party MAY choose the length of that interval, though it is recommended that it be less than 5 minutes.
# If the nonce in the assertion has previously been received by the relying party, the assertion has been used and must be rejected.
# If the <tt>audience</tt> field of the assertion does not match the Relying Party's origin (including scheme and optional non-standard port), reject the assertion. A domain that includes the standard port, of 80 for HTTP and 443 for HTTPS, SHOULD be treated as equivalent to a domain that matches the protocol but does not include the port.  (XXX: Can we find an RFC that defines this equality test?)
# If the audience field of the assertion does not match the full domain (including scheme and optional non-standard port) of the page that requested the Identity Assertion, the assertion must be rejected.  Note that implementations MUST include the scheme and non-standard port, if any, in the match check. A domain that includes the standard port, of 80 for HTTP and 443 for HTTPS, MUST be treated as equivalent to a domain that matches the protocol but does not include the port.  (Can we find an RFC that defines this equality test?)
# If the Identity Assertion's signature does not verify against the public-key within the last Identity Certificate, reject the assertion.
# The signature over the assertion must be verified with the public key contained in the certificate.
# If there is more than one Identity Certificate, then reject the assertion unless each certificate after the first one is properly signed by the prior certificate's public key.
# If the first certificate (or only certificate when there is only one) is not properly signed by the expected issuer's public key, reject the assertion. The expected issuer is either the domain of the certified email address in the last certificate, or the issuer listed in the first certificate if the email-address domain does not support BrowserID.
# WORK HERE
# The certificate must be verified using the issuer's public key.  If the certificate contains an Issuer element, the certificate is secondary; in this case, the Relying Party must further decide whether the issuer is one that it trusts.
# The certificate must be verified using the issuer's public key.  If the certificate contains an Issuer element, the certificate is secondary; in this case, the Relying Party must further decide whether the issuer is one that it trusts.


BenAdida
668

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/388629"

Navigation menu