En:NeMo-BrowserID

From MozillaWiki
Jump to: navigation, search

NeMo Article Base
Browser ID Explained
Back to Article Base | Home
by Dwaraka Nath


Browser ID

The name sounds weirdly new. Many of them who heard it for the first time had different opinions about this Mozilla's one of the most celebrated projects. Fact is, it has nothing to do with a browser or its identification. Mozilla is simply trying to ease up the way we sign up and manage our identities across websites and portals.

Yesterday afternoon, I was helping my dad sign up for some forum where he had to shoot out a question about some insurance policies. Annoyingly, the procedure was no piece of cake. We had to choose some username, check for its availability, not to mention the password and the good old captcha. Then there was that usual 'verify-your-email-before-proceeding' step. The whole process drove me insane. By the time, I was done doing all the formalities, my dad was already in sound sleep :P

We've been through these usual steps of acquiring our identity for some time now and we need to move on, advance to something simple and dynamic. All we need is a breakthrough and yes, it is happening. Say hi to the Browser ID !

Browser ID is a secure, de-centralized way for the users to tell the websites the information they require. The primary identifier of your identity here is your email address. Simply put, Browser ID tells the Website that “Hey, I'm really the one who owns this email address.”

Browser ID was started as an experiment in Mozilla Labs and was followed up with rave reviews about the project that has motivated the team behind, to work hard to bring it to the forefront. Few things that had made this concept a hit are,

  1. In Browser ID, the primary identity is your email address. No more username signup, password check and other steps henceforth.
  2. Promotes Security and ultimate user experience – No typing passwords during login and thus, secure to work with in all places, be it a public hotspot or a coffee shop. Expect more with the advent of native support for Browser ID across various browsers.
  3. Totally de-centralized in approach. People who implement Browser ID in their portals and sites have total control over its working and authentication. No third party intervention.
  4. From now on, people who implement this Browser ID don't have to worry about 'signups-with-fake email IDs' for all email addresses using Browser ID are validated.

Err... Okay... But, How does this work ?!

Introductions

Yes, that's right on top of my agenda and I'm coming to that. Before we move further to know more about how the system works, there are a few terms, that you need to understand.

  1. Primary Identity Authority - They are the people who you get your email addresses from. Typically like Gmail, Hotmail or Yahoo!
  2. Relying Party – The one who implements the Browser ID in his website. (RP)
  3. Implementation Provider – This might either be your Browser that has a native support for the Browser ID or might be browserid.org, both of which look after the client side implementation of the Browser ID. (IP)

Workflow

Generating your Identity

  1. Initially you sign in to your email service provider account in your browser.
  2. The javascript from your email service provider, invokes a function to generate a key pair in the client side after which the public key is sent over to the email service provider for certificate signing over a secured connection.
  3. The email service provider signs the public key, the email address, and gives out a validity period for it and returns the whole bundle back to the browser.
  4. Browser then, stores the bundle returned along with the private key in its cache to form a usable identity for Browser ID logins.

Identity Assertion and Verification

  1. Once you click the 'sign in with a Browser ID' , like how it is implemented generally, you choose an email address from a list of email addresses that you've already validated to be used as a Browser ID.
  2. Browser then bundles together the RP identity, email address, its public key along with a validity period and returns it to the web page.
  3. Once up on the webpage servers, the identity bundle's validity is checked for and the public key for the same bundle is again obtained from the Primary Identity Authority.
  4. The signature certificate in the bundle and the one obtained from the Primary Identity Authority are matched and verified.
  5. If they match, the RP comes to know that the identity is true.

I guess it makes sense. Atleast hope that way.

One common doubt among the users is, how different is this from the Open ID ?

  1. Well, open ID too tries to use a single identity across various sites and portals. But,Browser ID differs from it in the fact that, your primary identity is your email address.
  2. There is no intervention of the identity provider in your login transaction in Browser ID. The public key match is performed in a disconnected manner. So, users using Browser ID are safe in the way that, their online activity is not revealed to their Open ID providers and cannot be tracked.
  3. No typing passwords and thus secure in Browser ID. Integration into browsers bring much more security and better user experience.

P.S. : Browser ID project is being renamed as Mozilla Persona, But, Browser ID shall still remain the name of the project for the developer side.