[abhinavg]

This is off the top of my head so maybe somebody will correct me, but:

Persona is a login system that cares about your privacy. With social login systems, the website you are logging into contacts the social login provider (Facebook/Google+/Twitter/what-have-you) when you attempt to log in. So you end up leaving a trail of breadcrumbs behind you of every site you visited (and used a social login on). Further, many people are not comfortable giving sites access to their social accounts because of privacy concerns.

With Persona, the idea is that your identity provider (can be your email provider, persona.org , or someone else) will have a key publicly available on their site. Your browser would generate a certificate that can be verified against that key. However, since the same key from the provider is used to authenticate all accounts on that provider, all the provider finds out when a website contacts it for the key is that someone is trying to log into said website. Plus, the website could cache the certificate and now the provider does not know this either.

There is more to this so you're probably better off reading one of the other links.

[drdaeman]

If Persona would care about anyone's privacy, they won't use emails.

Logging in with, say, Twitter account is less secure in aspect Twitter knows what sites you log in, but more secure in aspect the sites can't spam you unless you allow them to do so.

[Groxx]

I've been thinking about this, and I have come to the conclusion that it's less of an issue than I thought it was. For a simple reason: the "email address" you provide is just an identifier. A string formatted as "user@domain", nothing more.

By convention it's a usable email address, but there is literally nothing preventing someone from starting up an email-less Persona identity provider. You'd still log in with your_username@noemailpersona.com, but that's just a formality that doesn't need to be hooked up to an actual mail server at any point.

Never using that account to actually communicate would put it on par with any other auth system you can come up with. Disposable when you want to dispose of it, and no need to ever dispose of it unless you want to. The whole issue with some people changing their email addresses for spam-fighting / inbox-cleaning purposes is a non-issue with this kind of an account.

[drdaeman]

This is correct, but the whole thing is marketed as email address, so it will be used as an email address, i.e. means of contacting me.

Now, consider I want to try some service I don't trust. I sign in with a email-looking identifier (which doesn't work as email address) and use the site for some time. Eventually, I become fond of this service and want it to start contacting me. With 123done.org I can't do this, nor at the mineshafter.info, nor at crossword.thetimes.co.uk. Trovebox looks broken to me, so can't tell it works, and I was lucky with voo.st, as it allowed me to add more accounts. Don't know more sites using Persona. Considering, today when you register with only Facebook or Google account relatively many sites don't let you change that binding in the future, it's very likely the situation with Persona will be the same.

[Groxx]

Hopefully, the existence / use of non-emailable browserid providers would encourage sites to accept alternate / custom 'primary' email addresses. It's definitely a chicken-and-egg problem though, and far from guaranteed that it would be resolved happily. And I'm in complete agreement on the marketing, and it's a problem for this setup - the system is young though, maybe this can be changed.

Though honestly I suspect browserid would encourage this anyway, since people are likely to use their primary email address, and they are likely to change to a different address in the future. If sites want to keep people through such a change, they'll want to allow changing it (since I doubt I'm alone in resenting sites that require me to maintain an address I don't use. resentment isn't good for retention).

[drdaeman]

Found out that Persona team do encourage this: https://developer.mozilla.org/en-US/docs/Persona/The_impleme...

Personally, I wouldn't call email addresses identities, and just say they're credentials. But Mozilla clearly has another idea on what the identity is.

[badida]

Choose your identity providers (and thus email addresses) wisely. They should be filtering spam for you / letting you control things. And they shouldn't be doing it by forcing you into their silo, the way "login with Twitter" buttons work.

[drdaeman]

Actually, it's my biggest problem with Persona is that the source of my identity is not me, but some third party I have to trust.

I run my email addresses on my own (physically-owned) servers. I know various approaches to filtering spam, and the best one in my experience is to not have a littered inbox is to have a private non-dictionary per-service email address and not expose it anywhere else.

The only mandatory third party between me and the Internet is domain registrar, I lease my domain name from. Not trustworthy, but this is the best one could have while all authentication systems are tightly coupled with DNS.

[6a68]

Actually, there's no reason you can't write your own personal identity provider: https://developer.mozilla.org/en-US/docs/Persona/Implementin...

[drdaeman]

I know that. It's just depending on domain name "ownership" (and even though it's called so, it's temporary lease, not purchase of property), in exactly the same way general audience depends on email account "ownership".

Except for the fact, if one's email account or the whole provider goes down, they should still be able to login with old-fashioned password credentials. With Persona, unless the site has a backup authentication method, they're out of luck.

This effectively means I've to stick with my domain name forever.

[herge]

The login string looks like an email, but it is only for convenience. Any thing that looks like an email address, and for which the domain will authenticate it using the persona protocol, can be used. Or even an address at mockmyid.com

[Steuard]

Not an issue, as far as I can tell. Sign in as "OnlyMyPersonaIdentity@example.com" (or whatever) and then never check the mail: you get an easy, consistent identity, and all the sites get is an email-shaped label.