=== Certifying Users ===
A BrowserID-compliant domain MUST provider user-key-certification at the URI referenced by the <tt>provisioning</tt> field in its published BrowserID support document, as follows:.
* The domain SHOULD deliver HTML and JavaScript at that URI, which it can expect to be evaluated in a standard user-agent IFRAME.* The domain SHOULD determine, without any user-facing content, the user's state of authentication with the domain. The domain MAY use cookies or localStorage to make this determination.* The domain SHOULD call, in JavaScript, call:
navigator.id.beginProvisioning(provisionEmailFunction);
where with <tt>provisionEmailFunction</tt> is a function that accepts an email address as parameter. Once the email address determined, the domain SHOULD check that the user is properly authenticated to use this email address. If she isn't, the domain SHOULD call <tt>navigator.id.raiseProvisioningFailure(explanation)</tt> with <tt>explanation</tt> a string explaining the failure. If the user is properly authenticated, the domain SHOULD call: navigator.id.genKeyPair(gotPublicKey);with <tt>gotPublicKey</tt> a function that accepts a JWK-formatted public key.
== Assertion Verification ==
