| |||||||||||||
Mozilla "Persona" beta releaseMozilla "Persona" beta releasePosted Sep 28, 2012 22:55 UTC (Fri) by ewan (subscriber, #5533)In reply to: Mozilla "Persona" beta release by k8to Parent article: Mozilla "Persona" beta release
"From this, why is a mail provider involved? I'm self-attesting either way"
I haven't read the spec at all, but completely off the top of my head, I'd have thought the point would be to use your email address as a unique identifier (as many sites do now), and provide a way to prove that the browser trying to log into my website belongs to the same person as the email address. You can 'self attest' and that's fine - the point would surely be that I cannot pretend to be you. Of course, you could make your mail server pretend that I'm you, so I could impersonate you with your permission, but that's true of most authentication - if you have a password, you can tell me what it is.
(Log in to post comments)
Mozilla "Persona" beta release Posted Sep 28, 2012 23:58 UTC (Fri) by thedevil (subscriber, #32913) [Link]
This would never work for me the way I am set up.
I control my email address, but not the web server at the domain (all the mail gets forwarded with procmail).
Mozilla "Persona" beta release Posted Sep 29, 2012 21:46 UTC (Sat) by geofft (subscriber, #59789) [Link]
What's your setup? All it requires is being able to put a single file inside /.well-known/, or have whoever's running the web server at your domain do that. If you can't do that, I'd argue you don't in fact control the domain. (If they're sending stuff to you via procmail, they can intercept it at any point...)
Mozilla "Persona" beta release Posted Sep 29, 2012 4:19 UTC (Sat) by k8to (subscriber, #15413) [Link]
But I can pretend to be anyone at my domain (there are several).
Mozilla "Persona" beta release Posted Sep 30, 2012 2:48 UTC (Sun) by geofft (subscriber, #59789) [Link]
If you own the domain, then yeah, that's true; that's what owning the domain means.
|
|||||||||||||