Francois Marier
Forum Replies Created
-
Actually, you’re right, my fix is wrong!
However, it’s not exactly what you said. The server that issues certificates actually has nothing to do with the server that verifies these certificates.
So while an admin who installs your plugin can choose to switch to a different verification server, they cannot choose to use a different certificate issuer.
The certificate issuer is determined by the email address that the end user uses to log in. Currently, almost all of the emails are using what we call the “fallback identity provider” (login.persona.org) to get a certificate. However, if an email is from a domain which runs a primary identity provider, then the issuer will be that domain.
You can try it out yourself:
1. create an “email” account on https://eyedee.me
2. try logging into your wordpress site with [email protected]This will fail because the issuer of your certificate will be “eyedee.me”, not “login.persona.org”
I have added a second patch to my repository to fix this:
https://github.com/fmarier/wordpress-browserid/commit/6bab1382cd56a02c6aa64bb1f6fb170db8bd744f
Sorry for the late notice. We now have a very low traffic mailing list that you could join to get notified of changes that might impact your plugin:
https://mail.mozilla.org/listinfo/persona-notices
I’ve looked at your code and here is my proposed fix:
https://github.com/fmarier/wordpress-browserid/commit/74459e0c34ffb76f8fa2ab6d80f9684330c2f288
It uses the right hostname for the verifier while still maintaining the security check you have. It’s worth noting that the certificate issuer is no longer the same as the verifier.
Actually, that URL is wrong. It currently works but that’s a bug that we will be fixing soon.
The correct URL for the verifier is: