[lazyjones]

> I don't understand why it doesn't have more mindshare.

Because all they've published so far is API specs and fluffy PR sites that try to portray it as "oh so much better" without offering any insight about why it is better. They can claim "more privacy" all day long, but without any details about what gets stored where and why it is supposed to be safer, they don't make a compelling case.

Look at this page for example: https://login.persona.org/about (the "how it works" page) - it has 0 details about these claims and unfortunately, we're already tired of reading how Google and FB respect our privacy. From "outside", it looks like we need to give Mozilla our (existing) credentials and trust them to handle them with care. Why should we? I feel safer making pwgen passwords for every new site I need to register at.

[bzbarsky]

Er... "they" have also published the full source code involved (at https://github.com/mozilla/browserid ) and a privacy policy at http://www.mozilla.org/en-US/persona/privacy-policy/ that you can compare to said source code as desired, if you're using Mozilla's identity provider.

As far as the architecture of the overall thing, there are also http://identity.mozilla.com/post/7899984443/privacy-and-brow... and http://identity.mozilla.com/post/11145921163/browserid-desig... and a technical specification at https://github.com/mozilla/id-specs/blob/prod/browserid/inde... that describes the exact data flow involved.

And if you read those, it should become pretty clear _why_ this is better for privacy than the FB or Google login systems. For one thing, the identity provider is never told that you're logging in.

[lazyjones]

Not even the links you posted tell me a) where certificates are stored and how they are protected, b) what measures are taken to prevent unauthorized use of those certificates by the ID provider, the browser (plugins?), other entities, c) how the act of entering an e-mail address is secure (other people may have access to my computer and know my e-mail address). Admittedly, I didn't watch the 1 hour presentation video, but I've come across HN-linked presentation web pages several times and tried to understand these issues every time, the result was always the same: Mozilla assures me it's all done properly, but does not provide the relevant details to back up these claims.

Mozilla needs to make a very compelling case to web site owners for adoption, because FB and even Google has more users and oauth is at least roughly understood.

[badida]

Let's see if I can help provide some answers here:

a) certificates are stored in localStorage for https://login.persona.org. They are very short-lived (hours), so that we don't have to deal with revocation, since that would likely be impossible on a per-user scale.

b) there's no way you can prevent an identity provider from misusing your identity. They're your identity provider. You chose them because you trust them to credential you and not let other folks impersonate you.

b') browser extensions already have full control over your life. That's something that should be addressed longer term, but Persona is not making this any worse.

b'') other entities cannot access the localStorage for login.persona.org, so that should be okay.

c) you're not just entering an email address. You're also proving you own it, for example by being logged into your Yahoo.com account, or by clicking the confirmation link we send you. What we're doing is minimizing the number of steps you have to take to prove you own an email address. But you still have to own it.

You should check out our documentation, which is quite thorough:

  https://developer.mozilla.org/en-US/docs/persona

I think we've provided a lot of hard data and docs to back our claims, but we're happy to provide more, of course.

[AnIrishDuck]

> how the act of entering an e-mail address is secure (other people may have access to my computer and know my e-mail address)

Assuming you're saying other people have access to your email account already, it's game over: practically every site will send password reset procedures on demand to the email you used to create your account.

Alternatively, if you're saying other people know your email address, that's not really relevant. They need to either be able to read email on your account (see above), or be able to implement an Identity Provider on your email domain.

If an unauthorized party is able to implement an IdP on your email domain you have an even worse problem: your email provider apparently is unable to control basic aspects of their own domain.

to actually implement an IdP, your email provider must publish a https://domain.com/.well-known/browserid file. If a rogue third party can do this at will, I'd say your email provider has horrible security and your security assumptions are probably broken anyway.

[bzbarsky]

Those are all great questions, indeed. I'll see if I can get people to answer them!

[lubujackson]

Since programmers and other tech workers still have difficulty understanding the details of Persona, this seems to be a clear PR issue. It's a lot like trying to convert normal people to Linux by telling them it's great and if they don't believe you they can read the source of the kernel. Not a very compelling defense.

[6a68]

We've got a lot more to offer than "use the source Luke" ;-)

There are tons of technical docs on our MDN page: https://developer.mozilla.org/docs/Persona

You can start with a high-level explanation of why Persona is different and awesome: https://developer.mozilla.org/en-US/docs/Persona/Why_Persona

From there, you can dig as deep as you'd like--we have docs to help with building an identity provider, integrating Persona into an existing site, even a list of pre-written open source plugins in a ton of languages/frameworks.

If none of that works, drop by #identity on mozilla IRC and tell us our docs suck, so we can prioritize making them better.

[6a68]

Yow, that's rough. We try really hard to publish docs that will help non-technical users, sites considering using Persona, and potential identity providers. The best starting point is probably the top-level MDN page:

https://developer.mozilla.org/docs/Persona

[lazyjones]

I am a technical user. I just don't want to wade through source code or watch 1 hour long videos to understand why this is supposedly secure. I can accept that not telling ID providers where users are logging in enhances their privacy (whether they care or not is debatable). However, I do not see why accounts are protected better, especially compared to different passwords for every site.

What is my identity tied to? The browser and the given e-mail address? Can anyone who has access to these fake my identity? What countermeasures can I take if that happens? A simple password change is probably out of the question. Such are the questions I'd like to be able to answer, but with the provided, easily accessible information, I cannot.

[badida]

To be fair, if you want to understand why something is supposedly secure, you will have to spend some time :)

Let's see if I can help.

Your identity is tied to your ability to prove that you own an email address. You can do that by clicking a confirmation link we send you. Or, as of Beta2 (today!), you can do that by having your domain implement the Persona Identity Provider API, where your domain publishes a public-key and issues certificates to you based on that public key, which you can then use to sign into web sites. Also as of today, we do that for Yahoo users by bridging to Yahoo OpenID, so basically Persona is an OpenID client to Yahoo, gets Yahoo to vouch for your email, and based on that issues you a Persona certificate (backed by our public key) for your email address.

But whatever way you go, it's about proving you own an email address and obtaining a certificate for it.

Yes, someone who has access to your browser can fake your identity if you don't lock your browser/OS, but that's nothing new. In fact, the simple password change is how we mitigate that. As soon as you change your password, we invalidate all sessions on all devices. Certificates last only a few hours, so they'll be disabled quickly too.