Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Extracting certifier docs to the certifer repo

  • Loading branch information...
commit 26ba045124a6303ac37a2fbdbb3c42d6ae8c0b1e 1 parent eeb6fd1
@ozten ozten authored
Showing with 26 additions and 30 deletions.
  1. +5 −11 README.md
  2. +21 −19 docs/OPS_NOTES.md
View
16 README.md
@@ -14,17 +14,11 @@ Q: How can I get Mozilla to add my service to the big tent?
A: Nope, please implement that BrowserID Primary protocol for your users
+Dependencies
+------------
+
+* This project reuses a [certifier](https://github.com/mozilla/browserid-certifier) server
+
Status
------
Not ready for production use!
-
-Process
--------
-1. (done) Auth via Google
-2. (done) Maintain email address in session
-3. (done) provision
-4. (done) sign in
-5. browserid.org whitelist
-6. Multiple auths coexisting
-7. (done) awsbox
-8. Add statsd monitoring points
View
40 docs/OPS_NOTES.md
@@ -9,39 +9,41 @@ In practice, this server **looks like an IdP**!
Although it has a `/.well-known/browserid` file, *only the ``public-key``
field is used*. The [BrowserID codebase](https://github.com/mozilla/browserid)
-has the provisioning and authentnication urls hardcoded into it's configs.
+has the provisioning and authentication urls hardcoded into it's configs.
-API Keys: Windows Live (Hotmail)
---------------------------------
-
-While we use OpenID for Google and Yahoo, Microsoft only supports OAuth2, and
-thus requires an API key. This means two things:
+Certifier
+---------
-1. Each domain must have a matching API key.
-2. Each API key must be provisioned by Microsoft.
+This server depends on a [certifier](https://github.com/mozilla/browserid-certifier).
-Real keys are managed by Ops.
+The public key for BigTent **must** match the keypair deployed to the certifier.
-Cryptographic Keys
-------------------
+BigTent will refuse to startup if this is not the case.
-This server does cryptographic operations as part of the Persona Primary
-protocol.
+Public Key
+----------
-It must have public/secret keys. There are several ways to achieve this:
+BigTent must have a public key. There are several ways to achieve this:
-- Use the environment variables `PUBLIC_KEY` and `PRIVATE_KEY`.
+- Use the environment variables `PUBLIC_KEY`.
- Use `scripts/gen_keys.js` to create `server_secret_key.json` and
`server_public_key.json` in `server/var/`.
- Do nothing and let the server generate its own "ephemeral keys," which
will change on each restart.
-Ephemeral keys are only appropriate in development environments. If deploying
-in a clustered environment, all servers must have the same keypair.
+In practise, you'll want stable keys that match your certifier.
-The private key (`server_secret_key.json`) is *extremely sensative*, protect it!
-Only the public key (`server_public_key.json`) can be shared via HTTP.
+API Keys: Windows Live (Hotmail)
+--------------------------------
+
+While we use OpenID for Google and Yahoo, Microsoft only supports OAuth2, and
+thus requires an API key. This means two things:
+
+1. Each domain must have a matching API key.
+2. Each API key must be provisioned by Microsoft.
+
+Real keys are managed by Ops.
External Requests
-----------------
Please sign in to comment.
Something went wrong with that request. Please try again.