I added a first draft of the API here : https://github.com/tarekziade/share/blob/master/API.rst#apis
key principles: - keys are stored per app. Adding new apps in the service is a manual process. - you can use the service with an fxa oauth token or with an API key. - an application can only retrieve its users public keys (API key authentication) - a user can store and retrieve their keys & list their apps (FxA authentication) There are no search/discovery feature: apps must know their users emails, and users must go through the apps to get back any information on other users. I think this is restrictive enough to avoid most privacy concerns, like social graph leaks - but open enough for our two use primary cases. Cheers Tarek On Mon, Dec 29, 2014 at 10:26 AM, Tarek Ziade <[email protected]> wrote: > > > On Wed, Dec 24, 2014 at 2:27 AM, Christopher Karlof <[email protected]> > wrote: > [..] >> >> >> >> I guess you would only want a single keypair on the server, so there >>> should probably be a "check for existing keypair and decrypt it if found" >>> step in there as well. >>> >>> Ryan >>> >> >> It’s not clear to me whether the user would have a single key pair or one >> per sharing application. >> > > > It seems better to isolate each application and have one key pair per > application. This will let you revoke/renew a keypair without impacting > other apps for instance. > > > > > >> >> >> -chris >> >> >> >
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
