> It has a big privacy advantage: with OpenID, your OpenID provider is informed of every site you log into, every time you log into it.
Yes, this is true. But OpenID implemented well reveals nothing about you to the site you are logging into. They just get a nonce. And while it is true your OpenID provider does get to see your login, you can choose your OpenID provider and chain them.
Persona also has a big disadvantage: it uses the same unique user name for every site. So if sites cooperate they can track your movements without your knowledge.
So they both have bad sides. I think Persona's is worse. While is is true my OpenID provider does get to see all my logins, I get to choose my OpenID provider. I could even set up my own provider, if I so choose. But say if I want to use say Twitter with Persona, then I don't have the choice of choosing some other "Twitter provider" because I trust them more with my email address.
This was a really odd design choice by the Persona developers. I can't understand why they designed an auth protocol they forces you to or remember any identifier (or "principle" in the parlance used by the Persona spec) - be it an email address or anything else. The association should be between one meaningless nonce and another, nothing more. If the use case then warrants tying other data to that association, like an email address, name, phone number or whatever than that's fine, but the protocol shouldn't force that onto you.