Changes

A primary authority MUST:* declare support and parameters for BrowserID* provide a user-authentication web flow* provide a user-certification web flow === BrowserID Support Document === A BrowserID support document MUST be a well-formed JSON document with at least these three fields: ''public-key'', ''authentication'', and ''provisioning''. The document MAY contain additional JSON fields. The value of the ''public-key'' field MUST be a Public Key serialized as a JSON object, as defined above. The value of the ''authentication'' field MUST be a relative reference to a URI, as defined by [https://tools.ietf.org/html/rfc3986 RFC3986]. The value of the ''provisioning'' field MUST also be a relative reference to a URI. ==== BrowserID Delegated Support Document ==== A BrowserID delegated-support document MUST be a well-formed JSON document with at least one field: ''authority''. This field MUST be a domain name. === Declaring Support and Parameters for BrowserID === To declare support for BrowserID , a domain MUST publish either a BrowserID support document OR a BrowserID delegated-support document at a specific URI relative to the domain's SSL URI. The relative reference URI for this document is <tt>/.well-known/browserid</tt>, as per <a href="https://tools.ietf.org/html/rfc5785">RFC5785</a>. The domain MAY choose to reference this BrowserID support document from a host-meta file (as per RFC5785). The BrowserID support document (or delegated-support document) MUST be served with Content-Type ''application/json''. The BrowserID support document (or delegated-support document) MAY be served with cache headers to indicate longevity of the BrowserID support parameters. === Authenticating Users ===