ANN: BROWSER-ID a new SASL Authentication mechanism under development

[Austin King]

At Mozilla, we're experimenting with a new SASL plugin for BrowserID[1].

BrowserID is a decentralized identity system that makes it possible
for users to prove ownership of email addresses in a secure manner,
without requiring per-site passwords[2].

I'm looking for feedback on implementing a SASL authentication mechanism.
I've got roughly the happy case working with pluginviewer and OpenLDAP.

Don protective eye-ware and visit:
https://github.com/ozten/sasl-browserid

Any feedback is appreciated, but specifically:
* Code review / contributions
* Preferred distribution channel
* Licensing
* Enterprise or Academic Use Cases
* Next steps and Timing

Once this plugin is production quality, what is the best way to 
distribute it? Should
we try to get it upstream into Cyrus SASL, downstream it into OS 
distributions, or
just provide it for download from a website?

Licensing - is there any preferred licensing for the code? This 
partially depends on
the target distribution channel. We want to balance this decision with 
input from
your community. plugins_common is currently a dependency. We'll re-write 
that
to get it out of the repo (unless it's not an issue).

Use Cases - Is this plugin worth building? We're finding we need it for 
our LDAP
directories which are used from web applications. Authentication using SASL
seems more secure than using proxy authentication. BrowserID is an awkward
auth mechanism in that it originates from JavaScript in web content. Are 
there other
valid user cases (webmail?) where this plugin could see some real world 
use? Perhaps
webmail...?

Next Steps - I see centrally registering auth mechanisms, RFCs for 
mechanism communication,
etc are mentioned. Is this still common practice?

Other feedback can come in bugs [3], pull requests, etc

thanks,
ozten

[1] https://browserid.org
[2] http://lloyd.io/how-browserid-works
[3] https://github.com/ozten/sasl-browserid/issues