| |||||||||||||
Mozilla "Persona" beta releaseMozilla "Persona" beta releasePosted Sep 28, 2012 22:45 UTC (Fri) by k8to (subscriber, #15413)In reply to: Mozilla "Persona" beta release by JohnLenz Parent article: Mozilla "Persona" beta release
So in order for this to work, I need to support this protocol myself, since I'm my own email provider?
From this, why is a mail provider involved? I'm self-attesting either way.
(Log in to post comments)
Mozilla "Persona" beta release Posted Sep 28, 2012 22:55 UTC (Fri) by ewan (subscriber, #5533) [Link]
"From this, why is a mail provider involved? I'm self-attesting either way"
I haven't read the spec at all, but completely off the top of my head, I'd have thought the point would be to use your email address as a unique identifier (as many sites do now), and provide a way to prove that the browser trying to log into my website belongs to the same person as the email address. You can 'self attest' and that's fine - the point would surely be that I cannot pretend to be you. Of course, you could make your mail server pretend that I'm you, so I could impersonate you with your permission, but that's true of most authentication - if you have a password, you can tell me what it is.
Mozilla "Persona" beta release Posted Sep 28, 2012 23:58 UTC (Fri) by thedevil (subscriber, #32913) [Link]
This would never work for me the way I am set up.
I control my email address, but not the web server at the domain (all the mail gets forwarded with procmail).
Mozilla "Persona" beta release Posted Sep 29, 2012 21:46 UTC (Sat) by geofft (subscriber, #59789) [Link]
What's your setup? All it requires is being able to put a single file inside /.well-known/, or have whoever's running the web server at your domain do that. If you can't do that, I'd argue you don't in fact control the domain. (If they're sending stuff to you via procmail, they can intercept it at any point...)
Mozilla "Persona" beta release Posted Sep 29, 2012 4:19 UTC (Sat) by k8to (subscriber, #15413) [Link]
But I can pretend to be anyone at my domain (there are several).
Mozilla "Persona" beta release Posted Sep 30, 2012 2:48 UTC (Sun) by geofft (subscriber, #59789) [Link]
If you own the domain, then yeah, that's true; that's what owning the domain means.
Mozilla "Persona" beta release Posted Sep 29, 2012 21:28 UTC (Sat) by geofft (subscriber, #59789) [Link]
There are two ways to use Persona:
1) If you have the appropriate setup in /.well-known/ via HTTPS, then authentication is through that key (specifically it accepts assertions signed by that public key).
2) If you don't, it falls back to a publicly-trusted Persona server, which at the moment is Mozilla (in theory it could be anything else, but Mozilla works well enough for now).
You get more control/security and more convenience if you do option 1 -- in particular, the way Mozilla implements option 2 is by doing the email-verification dance -- but both options work well enough.
Mozilla "Persona" beta release Posted Sep 30, 2012 2:50 UTC (Sun) by geofft (subscriber, #59789) [Link]
It's a bootstrapping mechanism. Mozilla is not going to get instant buy-in from every single domain owner, so one way to use Persona is for the website that wants to do Persona logins to rely on Mozilla's central trusted Persona server, which in turn relies on actual e-mail verification. The other way is to bypass Mozilla's trusted server and rely on the domain implementing Persona natively.
If you as a domain owner don't want mail to be involved / want to make life easier for your users, implement Persona. If you as a domain owner don't care about Persona but run an email server, then anyone with an email address at your domain can still use Persona.
|
|||||||||||||