Read through your link, and here's just an observation -
> BrowserID is a decentralized identity system
BrowserID effectively links identity an email service provider, and while I realize that not everyone shares their emails with Google, a vast majority of people still does. That's not that much of decentralization, is it? Practically speaking.
(edit) Added practically speaking... and ease up on that downvoting, distinguished HN comrades. Non-natural post scores hurt my feelings.
"decentralization" doesn't mean "forced decentralization". Anyone can register a domain name and have their own email at that domain, so anyone can create an identity. And ignoring the transitional bits in BrowserID, eventually that identity gets controlled entirely by the public/private keys in the user's browser.
Or, in other words: if you don't trust Google, don't use gmail; that someone else chooses to do so doesn't make this system less secure for you.
Sure, I understand that of course. I am just saying that practically speaking this property is not going to matter much in the world where everyone and their dog is on GMail. It is certainly nice to have though.
The last numbers I saw put Gmail at under 10% of email account marketshare. Hotmail and Yahoo both had much bigger shares.
It's difficult to imagine an authentication system that doesn't have some kind of centralized mechanism for making sure identities aren't duplicated. In this case, delegating that to a combination of two existing technologies (DNS for the domain, then email for the username) that are open, well understood and easy to implement seems appropriate.
What's the alternative? Using some kind of pseudo-GUID and then maybe a derivative of the Paxos distributed consensus algorithm to decide if it is to be trusted? I'd imagine there would be a good number of PhDs in that approach before a system like that would be close to being ready for actual implementation.
This system seems just about as decentralized as is practical. If you disagree I'd be very happy to hear alternatives.
You can have fully decentralized identities quite trivially: just create a public/private key. No consensus algorithms required. With browsers now supporting synchronization features to connect the browsers on all systems used by a single user, such a system could actually work quite well now, without the usability issues it would once have had.
This is a variety of SPKI[1], right? I was thinking of a conventional PKI approach, with an adapted web of trust to verify identities [2].
You are right - theoretically this could work. But it would pretty much take a "boil the ocean" approach to make it work.
Browsers would need to implement a secure (private) keystore, and presumably some way to sync that to other browsers.
A whole new standardized authentication flow would need to be created, which wouldn't be the same as the existing certificate-based authentication (which no one uses anyway)
A system that assumes that everyone is on GMail will tend to ensure that everyone is on GMail, whether or not that's a good thing.
Decentralization leaves the possibility of that situation changing open. That matters.
(Or, less philosophically: there was a time that everyone and their dog were on Internet Explorer. I think we're all glad that we didn't close the door to browsers other than IE.)
Uh, GMail users are a minority. Besides, the system is decentralized - the fact that most people can choose the same server is not a problem of the system.
Besides, the fact is that most websites already use email, so BrowserID is not any worse than the status quo.
I don't completely understand all this yet, but it appears that what distinguishes the system from one that is entirely trusting of client-side JS code, is the fact that the e-mail provider signs user's key. That means that we must be able to get the e-mail provider's public key somehow. There is supposed to be no central authority, so we must get it directly from the e-mail provider.
Your link includes this line:
> 4. Public key(s) for gmail.com are attained from a well-known location on their servers (specifics TBD).
This service is absolutely necessary to get BrowserID working, but they haven't figured out the specifics yet. I think they need to get beyond that "TBD" pretty darned quick.
Why would you want your email provider to support BrowserID? I'd consider it invasive for my email provider to do anything different to interfere with the email verification process for another site.
The proposed BrowserID standard specifically suggests that the browser should ask the email provider to validate the email, and only fall back to the usual email-me-a-link validation if the email provider doesn't "natively" support BrowserID. I'd prefer to always go through email-me-a-link verification (ideally with some kind of crypto involved), rather than involving the email provider in any way other than SMTP and IMAP.
I've read it more thoroughly now, but I'm still not sure where you're coming from. You'd rather use a secondary identity authority, even when a primary is available? Or are you saying you'd like to require a full send-me-an-email-and-i'll-click-on-a-link verification every time you log in to a relying party?
When your browser and email provider both support BrowserID:
1. You log into e.g. gmail.
2. Your browser generates a keypair and sends the public key to gmail.
3. Gmail signs your public key and sends your browser a certificate saying "this key is owned by whoever@gmail.com".
4. You click "sign in" on some site (e.g. Hacker News) that uses BrowserID.
5. Your browser sends Hacker News an message saying "my user is whoever@gmail.com", that is signed with the private key generated in step 2.
6. Hacker News looks at the "gmail.com", grabs gmail's public key (the one that signed your public key in step 3) and verifies the signatures.
Hacker News now knows that you control whoever@gmail.com.
The process is described fairly well (diagrams and everything) at http://lloyd.io/how-browserid-works