top | item 2765198

(no title)

paulosman | 14 years ago

Have you read the spec? https://wiki.mozilla.org/Labs/Identity/VerifiedEmailProtocol

That's essentially what this is... with a verification service and web based UI to help bootstrap it.

discuss

a3_nm|14 years ago

A good way to check if does the right thing is to make sure it does not depend on the security of DNS. Is this the case? (I'm still trying to find out.)

gbhn|14 years ago

BrowserID implements https://wiki.mozilla.org/Labs/Identity/VerifiedEmailProtocol

From that document: "destination.com retrieves Alice's public key from mailhost.com by using a webfinger lookup over SSL."

So it looks to me that the system's security depends on the attacker not having compromised DNS such that the relying party's query of mailhost.com is intercepted. Depending on the implementation doing this "over SSL" provides some additional security over unchecked reliance on DNS, but given how frequently keys roll, it may not be that much in practice.

a3_nm|14 years ago

Apparently, it does not do what I hoped it would. Assertions are about ownership of an email address, not about control of the private part of a key pair.