}
};
FIXME: the below needs complete revision
To process a request for identity registration from a web page, a User-Agent MUST:
# Create, if it has not already done so, a local data store that will persist beyond the current page view, keyed on email identity.
# Check the local data store for whether a certificate for the email address already exists and is valid. If so, the User-Agent SHOULD NOT proceed with key generation, and instead immediately call the provided callback to genKeyPair with a ''null'' argument.
# If no certificate already exists, the User-Agent MAY notify the user that a new email identity is being registered with the User-Agent. If the email identity has a domain that is different from the Identity Authority, the User-Agent SHOULD notify the user and seek confirmation.
# Produce an asymmetric keypair compatible with the JSON Web Key specification [JWK] and store it in the local data store.
# Return the public key to the JavaScript runtime of the web page through the provided callback.
# At a future point, when the registerCertificate function is called by a web page, the User Agent MUST verify that the public key in the Identity Certificate matches the already-stored keypair for the email identity in question. If it does not match, the User-Agent SHOULD reject the certificate and (do what?).
# Save the new certificate, as well as the refreshURL and errorURL arguments of the registerVerifiedEmailCertificate function.
=== Certificate Refresh ===
