User: Password:
|
|
Subscribe / Log in / New account

Mozilla "Persona" beta release

Mozilla "Persona" beta release

Posted Oct 8, 2012 3:43 UTC (Mon) by ras (subscriber, #33059)
In reply to: Mozilla "Persona" beta release by roc
Parent article: Mozilla "Persona" beta release

> It has a big privacy advantage: with OpenID, your OpenID provider is informed of every site you log into, every time you log into it.

Yes, this is true. But OpenID implemented well reveals nothing about you to the site you are logging into. They just get a nonce. And while it is true your OpenID provider does get to see your login, you can choose your OpenID provider and chain them.

Persona also has a big disadvantage: it uses the same unique user name for every site. So if sites cooperate they can track your movements without your knowledge.

So they both have bad sides. I think Persona's is worse. While is is true my OpenID provider does get to see all my logins, I get to choose my OpenID provider. I could even set up my own provider, if I so choose. But say if I want to use say Twitter with Persona, then I don't have the choice of choosing some other "Twitter provider" because I trust them more with my email address.

This was a really odd design choice by the Persona developers. I can't understand why they designed an auth protocol they forces you to or remember any identifier (or "principle" in the parlance used by the Persona spec) - be it an email address or anything else. The association should be between one meaningless nonce and another, nothing more. If the use case then warrants tying other data to that association, like an email address, name, phone number or whatever than that's fine, but the protocol shouldn't force that onto you.


(Log in to post comments)

Mozilla "Persona" beta release

Posted Oct 8, 2012 4:05 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

Well, since OpenID uses a URL as an identifier, then it can be used to track you just as easily.

And Persona doesn't preclude the use of ephemeral names like N123123@nopersona.org (which I've just registered) to make tracking more complex.

I mostly see the unified name as a feature, not a bug.

Mozilla "Persona" beta release

Posted Oct 8, 2012 4:18 UTC (Mon) by ras (subscriber, #33059) [Link]

> since OpenID uses a URL as an identifier, then it can be used to track you just as easily.

No so.

Yes, it uses a URL. But as of version 2 a provider can provide the same login URL for all users. Google's implementation does this. I would not use any OpenID provider that didn't do it, which among other things means I wouldn't use any provider who only implements version 1.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds