A Look at Mozilla's BrowserID Project
Jul 28, 2011, 09:00 (0 Talkback[s])
"Unlike OpenID, which associates every "decentralized" identity
with a specific URL that the user is responsible for maintaining,
BrowserID regards email addresses as the user's identity. Everyone
has an email address, and they already regard it as personal
identifier — no extra conceptual work required.
The login process for a BrowserID-compatible site starts with
the site asking for an email address and proof-of-ownership (which
is called an "assertion" in official BrowserID parlance). In the
simple method, in order to log in, the user's browser and email
provider will both need to support the assertion-generation
process, but there are provisions for working around this. In any
event, however it is generated, the browser returns an assertion
that includes the email address in question, an "expiration date"
(so that ne'er-do-wells can't capture and replay logins later), and
an address-ownership certificate.