Issue/Topic: Mozilla Proposes:
Monday – Session 2 - A
Convener: Dan, Mike, Ragavan
Notes-taker(s): Dan Mills
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Lots of questions about how this is different from just a password manager?
- it is an extension of password management, and an abstraction of ui so that different auto mechanisms can be used.
* password managers try to guess how a site works, account manager aims to be completely deterministic in it's behavior.
- account manager includes ways for the site to advertise to the browser multiple ways of interacting (e.g. Passwords vs http aith vs openid), as well as current state (signed in, not), which would otherwise need to be scraped.
How will this work with other password management extensions?
- Apis need to be included so that extensions can make use of account manager.
How is this better than something 401 related for intranet sites? * allows for disclosure of endpoints and status without a 401
- goal is to interop with http auth, not force it on everyone.
Are you introducing new http headers?
- yes, we are using the Link header, and defining a new one for the website to advertise to the browser the current user signed-in status.
How do you behave if you get a 401 with an unknown authentication scheme? 401 vs. 200 discussion?
Where will this code live? Will it be part of platform? Firefox? How will this affect derivative works?
- not clear 100% how much will be part of the embeddable gecko vs in firefox.
- the protocol will of course be open, and the firefox I pleme tat ion will be open source.
Why did you restrict to just username/secret?
- I'd/secret negotiation is for the username-password-form profile only; other profiles could do something different (but would need ui implemented)
Why didn't you use html markup for registration?
- still a possibility, feedback welcome. We felt like it would be more error-prone.
If I don't support registration, can I just put a URL in the AMCD?
Can the site specify a password policy? Sites seem to truncate long auto-generated passwords? * yes, feedback welcome on whether it is sufficient.
Preventing against malicious attackers flooding the registration flow. * need to think about this one, open problem.
How does this fit with OpenID Connect?
- hope is that the protocol pieces of opened connect can be managed using the account manager ui. Can you to a well known location to get a 401 that also incorporates the TLS client cert piece?
* interesting idea, needs more thought.
Companies holding a lot of identities need to get off username/password to access tokens because of phishing attacks. They like OAuth, because it is based on the WWW-Authenticate header.
Account manager meet-up at the Mozilla offices in downtown Mountain View this Friday afternoon, see the Account Manager page for details: HYPERLINK http://www.mozilla.com/firefox/accountmanager