Feb 23, 2012

On Mozilla BrowserId




Some weeks ago I read about new Mozilla's BrowserId initaitive. My opinion in two words... bad idea. Disclaimer: I'm an OpenId fan boy These are my concerns about BrowserId


Momentum: it has taken years for OpenId to gain som traction in both developer and "non hacker" internet users. And only when main social networks and service providers(Google , Facebook) has became also OpenId providers people started using it. Now, with a new "standard" (note the quotes) we will see fragmentation in Internet SSO panorama. If "Facebook connect" and "Sign in with Twitter" weren't bad enought a new player on the field will make things worst. For users (see below) and for developers who has to support Yet Another Sign In Method.


Subscription workflow: this is a simplified version of BrowserId subscription workflow

  1. You log into e.g. gmail. 
  2. Your browser generates a keypair and sends the public key to gmail. 
  3. Gmail signs your public key and sends your browser a certificate saying "this key is owned by whoever@gmail.com". 
  4. You click "sign in" on some site (e.g. Hacker News) that uses BrowserID. 
  5. Your browser sends Hacker News an message saying "my user is whoever@gmail.com", that is signed with the private key generated in step 2. 
  6. Hacker News looks at the "gmail.com", grabs gmail's public key (the one that signed your public key in step 3) and verifies the signatures. 


Full descritpion coun be found here Now the two main problems here are that this workflow is over too complicated and you are locked in with your email service provider. OpenId has an elegant solution for this.


As a final note I didn't find a clear answer on the fact that BrowserId would require also a browser feature ( I suppose so ) and if it would be ever supported by someone else other than Firefox.