Identity/AttachedServices/KeyServerProtocol: Difference between revisions

Jump to navigation Jump to search

Identity/AttachedServices/KeyServerProtocol (view source)

Revision as of 05:50, 1 August 2013

111 bytes removed ,  1 August 2013
m
→‎Signing Certificates
Line 220: Line 220:
For /certificate/sign, it is critical to enable payload verification by setting options.payload=true (on both client and server). Otherwise a man-in-the-middle could submit their own public key, get it signed, and then delete the user's data on the storage servers.
For /certificate/sign, it is critical to enable payload verification by setting options.payload=true (on both client and server). Otherwise a man-in-the-middle could submit their own public key, get it signed, and then delete the user's data on the storage servers.


Most keyserver APIs require a HAWK-protected request that uses the sessionToken. In addition, most (but not all) require that the account be in the "verified" state:
The following keyserver APIs require a HAWK-protected request that uses the sessionToken. In addition, some require that the account be in the "verified" state:


* GET /session/status
* GET /account/devices
* POST /session/destroy
* POST /session/destroy
* POST /certificate/sign
* GET /recovery_email/status
* GET /account/recovery_methods (does not require verification)
* POST /recovery_email/resend_code
* POST /account/recovery_methods/send_code
* POST /certificate/sign (requires "verified" account)
* GET /account/devices
* POST /password/change/auth/start
* POST /password/change/auth/finish


= Resetting The Account =
= Resetting The Account =
Warner
Confirmed users
471

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/688132"

Navigation menu