Protecting email addresses

I'm using Persona to handle authentication for badges. This is largely because that's what Mozilla open badges use. However it does mean that I can avoid storing any identifiable data, even though I have to host the assertion evidence that open badges needs to prove that a particular person has been awarded a particular badge. Here's how. 

Where everything is kept

There are a a number of technologies mashed up together to create this badge issuing environment
  • Scriptdb - Keeps all data about badges, questions, collections of things to go together. In a (likely separate) scriptDB, the awards data is kept. When someone takes a test and achieves a passmark an award is registered in scriptdb, and control is given to Mozilla to add a badge to the backpack associated with the current Persona Login. It is important to note that no email addresses or any other identifier is stored here. I'll describe later how the association is made.
  • Google apps script - In addition to the method for creating the badge environment from a spreadsheet , there are another couple of important apps script web applications. The badgeOrganizer serves up information about the badge environment and the assertionManager maintains the awards scriptdb. The assertion manager provides data about an award to the Mozilla backpack environment on demand, but it works through a php proxy to avoid cross domain restrictions. It also updates the awards scriptdb when a badge is awarded.
  • javaScript - the badgeManager would normally included in an iFrame or gadget on a web page and manages the user interaction, question marking, badge awarding, and persona and openbadges integration - either directly or through php proxies.
  • PHP - for security reasons openbadges and persona need to interact with server based functions. Signin, signout and integration with open badges all happen through some trivial php code.

Privacy

Persona handles authentication and the username/password combination are never seen by the calling application. An email address is picked up from Persona, however it is never stored anywhere. Instead, a one way hash of the email and badge are made and it is this key that is used to store the award against. In this way, the email address of the badge earner are never stored in the scriptDB database, and we can still provide the assertion (proof of earning), that openbadges obliges us to host.

assertionManager code.

The code for the other modules are shown elsewhere, but this is all the code you need to provide to create your own assertion manager. You can just copy as is (to create your own private scriptDb and defaults) and publish the script as your assertion manager.  As with most of the environment the main code is in the mcpher library, which you need to add to your project references.



assertionManager library code





Taking the test

I'm issuing badges. Try it on the right. 




For help and more information join our forum,follow the blog or follow me on twitter .



Comments