User: Password:
|
|
Subscribe / Log in / New account

Mozilla "Persona" beta release

Mozilla "Persona" beta release

Posted Sep 28, 2012 15:18 UTC (Fri) by geisler (guest, #44380)
In reply to: Mozilla "Persona" beta release by alankila
Parent article: Mozilla "Persona" beta release

I think you're looking for this:

https://developer.mozilla.org/en-US/docs/Persona


(Log in to post comments)

Mozilla "Persona" beta release

Posted Sep 28, 2012 22:55 UTC (Fri) by alankila (guest, #47141) [Link]

Indeed. I now saw the protocol overview on that page.

I think this looks a whole lot like OpenID, in the end. In both cases you're supposed to run some web server software to handle the login process for relying parties. The only major difference is that instead of your identity being an URL, it's an email, but that email is converted to an URL by a convention, and that URL is then used to look up the API's relevant details.

Mozilla's additional trick here is that if your email-like identity's provider doesn't support this protocol (the derived URL doesn't contain a valid document), they offer some kind of implementation which can do the authentication nevertheless. I presume *that* does send emails to the address, and you have to read them and maybe follow a link or copypaste some token from that email to prove that you can read messages sent to that email address.

Mozilla "Persona" beta release

Posted Sep 29, 2012 21:30 UTC (Sat) by geofft (subscriber, #59789) [Link]

Yeah, that's exactly correct. I'd prefer to introduce myself as geofft@example.com than http://example.com/user/geofft. And in particular, you can contact me in some well-known way (email) and possibly other ways (Jabber?) through that first address, whereas that second address is _only_ an OpenID identity.

The WebFinger home page makes this point in more detail, and Persona is heavily inspired by WebFinger.

Mozilla "Persona" beta release

Posted Oct 1, 2012 1:48 UTC (Mon) by roc (subscriber, #30627) [Link]

BrowserID has other advantages over OpenID. It has a big privacy advantage: with OpenID, your OpenID provider is informed of every site you log into, every time you log into it. It's like the government being informed every time you present your driver's license as ID. (Actually worse, since the ID provider can selectively deny authentication on a site by site basis.)

With BrowserID an ID provider can at most deduce (via its key being fetched) that *some* unspecified user is logging into a particular site, and because the key is cached this notification only happens once in a while (e.g. every 12 hours).

Mozilla "Persona" beta release

Posted Oct 4, 2012 9:39 UTC (Thu) by alankila (guest, #47141) [Link]

This is an excellent point. I agree that this change turns me far more enthusiastic about Persona, because there is no real reason for openid provider to know about the sites I visit.

Mozilla "Persona" beta release

Posted Oct 8, 2012 3:43 UTC (Mon) by ras (subscriber, #33059) [Link]

> It has a big privacy advantage: with OpenID, your OpenID provider is informed of every site you log into, every time you log into it.

Yes, this is true. But OpenID implemented well reveals nothing about you to the site you are logging into. They just get a nonce. And while it is true your OpenID provider does get to see your login, you can choose your OpenID provider and chain them.

Persona also has a big disadvantage: it uses the same unique user name for every site. So if sites cooperate they can track your movements without your knowledge.

So they both have bad sides. I think Persona's is worse. While is is true my OpenID provider does get to see all my logins, I get to choose my OpenID provider. I could even set up my own provider, if I so choose. But say if I want to use say Twitter with Persona, then I don't have the choice of choosing some other "Twitter provider" because I trust them more with my email address.

This was a really odd design choice by the Persona developers. I can't understand why they designed an auth protocol they forces you to or remember any identifier (or "principle" in the parlance used by the Persona spec) - be it an email address or anything else. The association should be between one meaningless nonce and another, nothing more. If the use case then warrants tying other data to that association, like an email address, name, phone number or whatever than that's fine, but the protocol shouldn't force that onto you.

Mozilla "Persona" beta release

Posted Oct 8, 2012 4:05 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

Well, since OpenID uses a URL as an identifier, then it can be used to track you just as easily.

And Persona doesn't preclude the use of ephemeral names like N123123@nopersona.org (which I've just registered) to make tracking more complex.

I mostly see the unified name as a feature, not a bug.

Mozilla "Persona" beta release

Posted Oct 8, 2012 4:18 UTC (Mon) by ras (subscriber, #33059) [Link]

> since OpenID uses a URL as an identifier, then it can be used to track you just as easily.

No so.

Yes, it uses a URL. But as of version 2 a provider can provide the same login URL for all users. Google's implementation does this. I would not use any OpenID provider that didn't do it, which among other things means I wouldn't use any provider who only implements version 1.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds