How can I host my own static BrowserID delegate without running a mail server?

Question

I host my own static HTML site, which also serves as an OpenID delegate. This means I can use my own URL for OpenID logins, but hand over the actual work to someone else (with the associated cost of having to trust them).

How can I do something similar with BrowserID?

• I don't want to implement my own IdP, I want to delegate
• I don't want to host a mail server
• I am aware of the cost of trusting a third-party

The delegated support docs say:

A domain may delegate to any other domain, so long as the other domain publishes a /.well-known/browserid document.

So I'm guessing I can:

• Get myself a free StartSSL certificate (which I would have to renew annually)
• Switch over to HTTPS
• Create a valid browserid file on my site, accessible at https://mysite.example.com/.well-known/browserid, containing:

    {
      "authority": "login.persona.org"
    }

...which should delegate BrowserID queries to Mozilla Persona.

But, if I'm not running my own mail server, what happens next? What (non-functional) email address do I log in with? Assuming I can do that, how is verification handled?

Alternatively, does Persona have a generic OpenID identity bridge, in addition to the Yahoo- and Gmail-specific ones? (Again, the question becomes which email address would I use in this case?)

Answer 1

There's no point in delegating to login.persona.org because that's the fallback identity provider which will be used if you don't delegate. Also, if you're not running a mail server on your domain then the fallback won't work for you because it's email-based.

On the other hand, the rest of the steps you wrote would work if you were to delegate to a service like https://persowna.net/ which shouldn't require you to have a mail server on your domain.

There is no generic OpenID bridge, but here's a Persona identity provider I wrote to allow me to delegate to an OpenID provider manually: https://github.com/fmarier/persona-openid-delegation