[tofumatt]

I believe the aim is to have email providers be able to auth your persona email instead of Mozilla, but Mozilla exists as a sort of polyfill if the provider (eg. hotmail.com, gmail.com, your-custom-domain.net) doesn't do persona yet.

Also, yes: people can still choose crummy passwords. Personally, I don't think the appeal is in better security; it's convenience of single sign-on without it being tied to a. identity or b. Facebook (or twitter or google or whatever other service that harvests my data).

[donrhummy]

Right, but the email providers are only authenticating you to Persona. As far as the websites using Persona are concerned, it's persona.org that authenticates you.

And the appeal that Mozilla is pushing is definitely better security (as well as a distributed security authentication versus one for-profit authority - I definitely trust Mozilla MUCH more than Facebook or twitter, but it's still a central authority). You can especially see this in the talk they gave introducing it: http://www.youtube.com/watch?v=iZBTc7iEkQY

[ozten]

As a website you can do local verification of the log in assertion.

Mozilla hosts a verifier as a convenience, but you don't have to use it.

[donrhummy]

But the assertion only gets sent if the user logs in to persona first (with their email and persona password)

[callahad]

Ah! Right. There is no Persona password if your email provider supports Persona natively. If your provider has native support, you only authenticate with them, and the site you're logging into sees a credential issued by your provider. Mozilla is completely out of the transaction in that case.

You can try this yourself with a demo identity provider we have at http://eyedee.me/