Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
Mozilla "Persona" beta release
Posted Sep 28, 2012 22:55 UTC (Fri) by alankila (subscriber, #47141)
I think this looks a whole lot like OpenID, in the end. In both cases you're supposed to run some web server software to handle the login process for relying parties. The only major difference is that instead of your identity being an URL, it's an email, but that email is converted to an URL by a convention, and that URL is then used to look up the API's relevant details.
Mozilla's additional trick here is that if your email-like identity's provider doesn't support this protocol (the derived URL doesn't contain a valid document), they offer some kind of implementation which can do the authentication nevertheless. I presume *that* does send emails to the address, and you have to read them and maybe follow a link or copypaste some token from that email to prove that you can read messages sent to that email address.
Posted Sep 29, 2012 21:30 UTC (Sat) by geofft (subscriber, #59789)
The WebFinger home page makes this point in more detail, and Persona is heavily inspired by WebFinger.
Posted Oct 1, 2012 1:48 UTC (Mon) by roc (subscriber, #30627)
With BrowserID an ID provider can at most deduce (via its key being fetched) that *some* unspecified user is logging into a particular site, and because the key is cached this notification only happens once in a while (e.g. every 12 hours).
Posted Oct 4, 2012 9:39 UTC (Thu) by alankila (subscriber, #47141)
Posted Oct 8, 2012 3:43 UTC (Mon) by ras (subscriber, #33059)
Yes, this is true. But OpenID implemented well reveals nothing about you to the site you are logging into. They just get a nonce. And while it is true your OpenID provider does get to see your login, you can choose your OpenID provider and chain them.
Persona also has a big disadvantage: it uses the same unique user name for every site. So if sites cooperate they can track your movements without your knowledge.
So they both have bad sides. I think Persona's is worse. While is is true my OpenID provider does get to see all my logins, I get to choose my OpenID provider. I could even set up my own provider, if I so choose. But say if I want to use say Twitter with Persona, then I don't have the choice of choosing some other "Twitter provider" because I trust them more with my email address.
This was a really odd design choice by the Persona developers. I can't understand why they designed an auth protocol they forces you to or remember any identifier (or "principle" in the parlance used by the Persona spec) - be it an email address or anything else. The association should be between one meaningless nonce and another, nothing more. If the use case then warrants tying other data to that association, like an email address, name, phone number or whatever than that's fine, but the protocol shouldn't force that onto you.
Posted Oct 8, 2012 4:05 UTC (Mon) by Cyberax (✭ supporter ✭, #52523)
And Persona doesn't preclude the use of ephemeral names like N123123@nopersona.org (which I've just registered) to make tracking more complex.
I mostly see the unified name as a feature, not a bug.
Posted Oct 8, 2012 4:18 UTC (Mon) by ras (subscriber, #33059)
Yes, it uses a URL. But as of version 2 a provider can provide the same login URL for all users. Google's implementation does this. I would not use any OpenID provider that didn't do it, which among other things means I wouldn't use any provider who only implements version 1.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds