Thanks Dirkjan (and Jan). Yes, so the first milestone is definitely a standard RP mode working against browserid.org's web services.
To clarify, "tinfoil hat" mode is actually just a complete implementation of the RP role, notably that it does not require the POST to browserid.org/verify to verify an assertion. Thus, CouchDB could be used on an intranet where an existing IdP exists. The IdP is out of scope, but I expect to install one to test CouchDB when that time comes. Tinfoil hat mode is perfectly cromulent, I just called it that due to recent news about wiretaps and that stuff. On Mon, Jul 29, 2013 at 4:03 PM, Dirkjan Ochtman <[email protected]> wrote: > On Mon, Jul 29, 2013 at 6:13 AM, Jason Smith <[email protected]> wrote: >> Thanks, Jim. That is basically my plan. To be clear, I would ship >> "outsourced mode" (browserid.org hosted JavaScript and verification) >> in a CouchDB release. It's just that I would work to get "tinfoil hat >> mode" added in for a subsequent release. Outsourced mode already >> exists (modulo a rewrite and unit tests) as a plugin, but I want to >> merge it in. > > Running the verification inside CouchDB is very sane. It looks like > local verification will be the recommended approach anyway in the near > future. > >> I am not sure if I understand you exactly. Persona is a three-party >> protocol between users, relying parties (RPs) and identity providers >> (IdPs). I am talking about RP support for CouchDB. AFAIK there is a >> bit of mere-mortal cypto to do but it does not require IdP support. > > Your tinfoil hat mode is a bit weird. If you're doing disconnected > operation, you can only connect to Identity Providers inside the LAN, > so general RP support becomes impossible, so it's a pretty crippled > setup. > > Cheers, > > Dirkjan -- Nodejitsu
