668
edits
Changes
→Certifying Users
The domain SHOULD determine, without any user-facing content, the user's state of authentication with the domain. The domain MAY use cookies or localStorage to make this determination.
The domain SHOULD MUST call, in JavaScript:
navigator.id.beginProvisioning(provisionEmailFunction);
with <tt>provisionEmailFunction</tt> a function that accepts an email address as parameter.
Once the email address determined, the domain SHOULD check that the user is properly authenticated to use this email address. If she isn't, the domain SHOULD call <tt>navigator.id.raiseProvisioningFailure(explanation)</tt> with <tt>explanation</tt> a string explaining the failure.
If the user is properly authenticated, the domain SHOULD MUST call:
navigator.id.genKeyPair(gotPublicKey);
with <tt>gotPublicKey</tt> a function that accepts a JWK-string-formatted public-key.
The domain's JavaScript SHOULD then send this JWK string to the domain's backend server. The domain's backend server SHOULD certify this key along with the email address provided to its <tt>provisionEmailFunction</tt> function, and an expiration date at least 1 minutes in the future. The backend server SHOULD NOT issue a certificate valid longer than 24 hours. The domain's backend server SHOULD then deliver a JWCert-string-formatted certificate back to its JavaScript context. The domain's JavaScript MUST finally call: navigator.id.registerCertificate(certificate);with the JWCert string.
== Assertion Verification ==
