Since password-based authentication based on credentials specific to each web site you sign up with is both a hassle and a security liability, a couple of alternative web authentication mechanisms have emerged. Notable examples include TLS client certificates, OpenID, and OAuth. Since none of these mechanisms have found widespread use as a replacement for username/password authentication, Mozilla have been developing a protocol called BrowserID, which combines a decentralized authentication system à la OpenID with the email-based login procedure users are familiar with.

While the BrowserID infrastructure is still undergoing active development, the API is stable and ready to use, and a relying party is very easy to implement. On signup, users are faced with a familiar-looking, password-based authentication dialog based on JavaScript.

While BrowserID works without special support from the email provider (in which case the Mozilla-operated website will do the authentication), such support is necessary for full decentralization. In particular, if you are your own email provider, you may want to set up your own authentication service, which in this case, Mozilla call a primary.

Therefore, I have implemented a basic BrowserID primary called MulkyID, which piggybacks on an existing IMAP server for authentication, as a set of simple CGI scripts ready for deployment.

Note that this is alpha-quality software, so expect some rough edges. Contributions are, as always, welcome. Since the code base is quite small, I encourage you to read the code in order to get a feel for what it does and possibly spot any remaining bugs.