Identity/Features/Firefox-native Verified Email Client: Difference between revisions

{{#set:Feature name=Firefox-native Verified Email Client

|Feature stage=Shelved |Feature status=In progress |Feature version=TBD |Feature health=Blocked |Feature status note=Scoping new work after VEP changes. }}

{{#set:Feature product manager=Dan Mills

|Feature feature manager=David Dahl |Feature lead engineer=David Dahl |Feature security lead=Curtis Koenig |Feature privacy lead=Sid Stamm |Feature localization lead=` |Feature accessibility lead=` |Feature qa lead=James Bonacci |Feature ux lead=Zhenshuo Fang |Feature product marketing lead=` |Feature operations lead=` |Feature additional members=Diane Loviglio (user research) }}

`

1. Feature overview

Ability to sign into web sites using Verified Email, integrated with our (secondary authority) ID service.

Related features:

• Verified Email Service
• Web-based Verified Email Client
• Verified Email Service Admin Interface
• Sign into the browser

2. Users & use cases

Note: you may wish to read the use-case for the Web-based Verified Email Client as well

Anne is a Firefox user. She has an iPhone too, and uses Firefox Sync to get to her bookmarks from her phone.

While browsing the Web, Anne sees a notification bar in Firefox asking her to verify the email address she uses to sign into Firefox Sync. Anne decides to go ahead, clicks a button to send a verification message, and is told to check her inbox for a message.

Anne finds the message in her inbox and clicks the link. She is taken back to Firefox and a message thanks her for verifying the email address. Firefox also tells her that she can now use her verified email address to sign into any supported Web site without any extra passwords.

While talking to her friend Mark, Anne learns about a site called SaladFans.com. Excited to try it out, she browses to the site on her desktop, and when she clicks the "sign in" button, Firefox asks her if it's OK to disclose her verified email address with SaladFans.com. Anne clicks OK, SaladFans.com refreshes and she is now signed in!

Key points:

• Site API triggers enhanced chrome dialogs in Firefox
• The same API triggers HTML pop-ups on other browsers (see Web-based Verified Email Client)
• Firefox reuses Sync credentials for Verified Email
• Firefox can verify the email proactively before first-use

3. Dependencies

`

4. Requirements

Content APIs in place for web sites to:

• Request a verified email from the browser
  • Support for signing new identity assertions in-browser
• Be proactively given a verified email
• Advertise active/passive sign-in user sessions and sign-out method
• Register a verified email certificate (primary/secondary authority API)
  • Support for keeping certificates in the browser
  • Support for refreshing certificates as needed

Browser UI in place to:

• Create a Firefox Account
• Sign into a Firefox Account
• Add an email address to a Firefox Account, and verify it
• Sign into a site by disclosing an email, whether the process is started from chrome or content
• Display active session(s) with the site, and sign-out

Non-goals

• Integrating with/implementing non-Verified Email auth protocols
  • including HTTP Auth, forms-based sign-in, OpenID, OAuth, etc.
• Multiple accounts per-site (plus fast-user switching)
• Expanding "sign into the browser" role to allow multiple user support, profile switching support, master password support
• Integrating account information into site-prefs

5. Functional specification

API docs:

• Verified Email Protocol
• Client API (obsolete?)

6. User experience design

Mockups:

• Verified Email (various)
• Firefox Account
• HTML client mockups (for reference)

7. Implementation plan

`

8. Reviews

Security review

`

Privacy review

`

Localization review

`

Accessibility

`

Quality Assurance review

• Basic Identity items test plan

Operations review

`

9. Implementation

Next Steps

• Scope engineering work [David Dahl]
• UX Research [Diane Loviglio]
• Session API Draft [Dan Mills]
• flesh out test plan with test case summaries [Tracy Walker]
• Security review [?]
• Engineering work [David Dahl]

Related Bugs

• Tracking bug
  • Tracking bug: email disclosure APIs
  • Tracking bug: Firefox account & email verification UI
  • Tracking bug: Session discovery & chrome UI

10. Landing criteria

` {{#set:Feature open issues and risks=` |Feature overview=Ability to sign into web sites using Verified Email, integrated with our (secondary authority) ID service.

Related features:

• Verified Email Service
• Web-based Verified Email Client
• Verified Email Service Admin Interface
• Sign into the browser

|Feature users and use cases=Note: you may wish to read the use-case for the Web-based Verified Email Client as well

Anne is a Firefox user. She has an iPhone too, and uses Firefox Sync to get to her bookmarks from her phone.

While browsing the Web, Anne sees a notification bar in Firefox asking her to verify the email address she uses to sign into Firefox Sync. Anne decides to go ahead, clicks a button to send a verification message, and is told to check her inbox for a message.

Anne finds the message in her inbox and clicks the link. She is taken back to Firefox and a message thanks her for verifying the email address. Firefox also tells her that she can now use her verified email address to sign into any supported Web site without any extra passwords.

While talking to her friend Mark, Anne learns about a site called SaladFans.com. Excited to try it out, she browses to the site on her desktop, and when she clicks the "sign in" button, Firefox asks her if it's OK to disclose her verified email address with SaladFans.com. Anne clicks OK, SaladFans.com refreshes and she is now signed in!

Key points:

• Site API triggers enhanced chrome dialogs in Firefox
• The same API triggers HTML pop-ups on other browsers (see Web-based Verified Email Client)
• Firefox reuses Sync credentials for Verified Email
• Firefox can verify the email proactively before first-use

|Feature dependencies=` |Feature requirements=Content APIs in place for web sites to:

• Request a verified email from the browser
  • Support for signing new identity assertions in-browser
• Be proactively given a verified email
• Advertise active/passive sign-in user sessions and sign-out method
• Register a verified email certificate (primary/secondary authority API)
  • Support for keeping certificates in the browser
  • Support for refreshing certificates as needed

Browser UI in place to:

• Create a Firefox Account
• Sign into a Firefox Account
• Add an email address to a Firefox Account, and verify it
• Sign into a site by disclosing an email, whether the process is started from chrome or content
• Display active session(s) with the site, and sign-out

|Feature non-goals=* Integrating with/implementing non-Verified Email auth protocols

• • including HTTP Auth, forms-based sign-in, OpenID, OAuth, etc.
• Multiple accounts per-site (plus fast-user switching)
• Expanding "sign into the browser" role to allow multiple user support, profile switching support, master password support
• Integrating account information into site-prefs

|Feature functional spec=API docs:

• Verified Email Protocol
• Client API (obsolete?)

|Feature ux design=Mockups:

• Verified Email (various)
• Firefox Account
• HTML client mockups (for reference)

|Feature implementation plan=` |Feature security review=` |Feature privacy review=` |Feature localization review=` |Feature accessibility review=` |Feature qa review=* Basic Identity items test plan |Feature operations review=` |Feature implementation notes===== Next Steps ====

• Scope engineering work [David Dahl]
• UX Research [Diane Loviglio]
• Session API Draft [Dan Mills]
• flesh out test plan with test case summaries [Tracy Walker]
• Security review [?]
• Engineering work [David Dahl]

Related Bugs

• Tracking bug
  • Tracking bug: email disclosure APIs
  • Tracking bug: Firefox account & email verification UI
  • Tracking bug: Session discovery & chrome UI

|Feature landing criteria=` }}

{{#set:Feature priority=P2

|Feature rank=999 |Feature theme=` |Feature roadmap=Mozilla Identity |Feature secondary roadmap=` |Feature list=Desktop |Feature project=` |Feature engineering team=Desktop front-end }}

{{#set:Feature products status=`

|Feature products notes=` |Feature engineering status=` |Feature engineering notes=` |Feature security status=sec-review-active |Feature security health=Assigned |Feature security notes=sstamm |Feature privacy status=` |Feature privacy notes=` |Feature localization status=` |Feature localization notes=` |Feature accessibility status=` |Feature accessibility notes=` |Feature qa status=` |Feature qa notes=` |Feature ux status=` |Feature ux notes=` |Feature product marketing status=` |Feature product marketing notes=` |Feature operations status=` |Feature operations notes=` }}