Identity/AttachedServices/KeyServerProtocol: Difference between revisions

Identity/AttachedServices/KeyServerProtocol (view source)

734 bytes added , 1 August 2013

add account-deletion section

Confirmed users

471

edits

@@ Line 293: / Line 293: @@
 After using /account/reset, clients should immediately perform the login protocol from above. If the old password was forgotten, this is necessary to fetch kA. In either case, a new sessionToken is required, since old sessions and tokens are revoked by /account/reset. Clients should retain the new srpPassword value during this process to avoid needing to run the lengthy key-stretching routine a second time.
+= Deleting The Account =
+When the user wishes to completely delete their account, the browser needs to perform two actions:
+* contact the storage servers and delete all records and collections
+* contact the keyserver and delete the account information
+The user should be prompted for their password as confirmation (i.e. a browser in the normal attached-and-synchronizing state should not be able to erase the account information: it must acquire a new authToken first).
+The device then obtains an authToken as described above, then spends it on a HAWK-protected request to the /account/delete endpoint. This request contains no body and returns only a success code.
+[[File:PICL-IdPAuth-deleteAccount.png|Deleting the Account]]
 = Crypto Notes =