Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
From this, why is a mail provider involved? I'm self-attesting either way.
Mozilla "Persona" beta release
Posted Sep 28, 2012 22:55 UTC (Fri) by ewan (subscriber, #5533)
I haven't read the spec at all, but completely off the top of my head, I'd have thought the point would be to use your email address as a unique identifier (as many sites do now), and provide a way to prove that the browser trying to log into my website belongs to the same person as the email address. You can 'self attest' and that's fine - the point would surely be that I cannot pretend to be you. Of course, you could make your mail server pretend that I'm you, so I could impersonate you with your permission, but that's true of most authentication - if you have a password, you can tell me what it is.
Posted Sep 28, 2012 23:58 UTC (Fri) by thedevil (subscriber, #32913)
I control my email address, but not the web server at the domain (all the mail gets forwarded with procmail).
Posted Sep 29, 2012 21:46 UTC (Sat) by geofft (subscriber, #59789)
Posted Sep 29, 2012 4:19 UTC (Sat) by k8to (subscriber, #15413)
Posted Sep 30, 2012 2:48 UTC (Sun) by geofft (subscriber, #59789)
Posted Sep 29, 2012 21:28 UTC (Sat) by geofft (subscriber, #59789)
1) If you have the appropriate setup in /.well-known/ via HTTPS, then authentication is through that key (specifically it accepts assertions signed by that public key).
2) If you don't, it falls back to a publicly-trusted Persona server, which at the moment is Mozilla (in theory it could be anything else, but Mozilla works well enough for now).
You get more control/security and more convenience if you do option 1 -- in particular, the way Mozilla implements option 2 is by doing the email-verification dance -- but both options work well enough.
Posted Sep 30, 2012 2:50 UTC (Sun) by geofft (subscriber, #59789)
If you as a domain owner don't want mail to be involved / want to make life easier for your users, implement Persona. If you as a domain owner don't care about Persona but run an email server, then anyone with an email address at your domain can still use Persona.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds