ANN: BROWSER-ID a new SASL Authentication mechanism under development

Austin King ozten at mozilla.com
Fri Sep 2 11:57:49 EDT 2011 

On 09/02/2011 05:17 AM, Alexey Melnikov wrote:
> Hi Austin,
>
> Austin King wrote:
>
>> At Mozilla, we're experimenting with a new SASL plugin for BrowserID[1].
>>
>> BrowserID is a decentralized identity system that makes it possible
>> for users to prove ownership of email addresses in a secure manner,
>> without requiring per-site passwords[2].
>
> Is there a SASL-related spec for this, or at least an example of the 
> SASL exchange?
I can definitely use your help!
https://github.com/ozten/sasl-browserid/blob/master/docs/sasl-browserid-design.md

I'll be documenting this better over time and just started talking to 
our security team about
a architecture review.

>
>> Once this plugin is production quality, what is the best way to 
>> distribute it? Should
>> we try to get it upstream into Cyrus SASL,
>
>> downstream it into OS distributions, or
>> just provide it for download from a website?
>
> My personal preferences are to try to get it into the upstream. The 
> next step down is a patch in "contrib". Separate download is of course 
> always an option.
Great, eventually having source in Cyrus SASL tree makes a lot of sense.
>
> I will need to have a look at the build dependencies. Complicated 
> dependencies are not a showstopper, but at least we should eliminate 
> circular dependencies (if any).
The plugin depends on curl and yajl 2 [1] for the browserid.org 
verification call.
The plugin also depends on mysql to maintain a session cache. This is 
useful for web oriented uses of the plugin.

I'm not sure there are any "long-lived connection" use cases, but if so 
they would not need a session, so mysql is optional.

The session backend could be generalized to be like auxprop (other 
backends besides mysql), but I'll only build out one backend in the 
short term.

>> Next Steps - I see centrally registering auth mechanisms, RFCs for 
>> mechanism communication,
>> etc are mentioned. Is this still common practice?
>
> Very much so. I can help you with this as well, as I've written some 
> SASL-related RFCs.
Again, much appreciated. If you like IRC, we're in 
ircs://irc.mozilla.org/#identity
ozten is my nick.

thanks,
Austin

[1] http://lloyd.github.com/yajl/

More information about the Cyrus-devel mailing list