[lazyjones]

Not even the links you posted tell me a) where certificates are stored and how they are protected, b) what measures are taken to prevent unauthorized use of those certificates by the ID provider, the browser (plugins?), other entities, c) how the act of entering an e-mail address is secure (other people may have access to my computer and know my e-mail address). Admittedly, I didn't watch the 1 hour presentation video, but I've come across HN-linked presentation web pages several times and tried to understand these issues every time, the result was always the same: Mozilla assures me it's all done properly, but does not provide the relevant details to back up these claims.

Mozilla needs to make a very compelling case to web site owners for adoption, because FB and even Google has more users and oauth is at least roughly understood.

[badida]

Let's see if I can help provide some answers here:

a) certificates are stored in localStorage for https://login.persona.org. They are very short-lived (hours), so that we don't have to deal with revocation, since that would likely be impossible on a per-user scale.

b) there's no way you can prevent an identity provider from misusing your identity. They're your identity provider. You chose them because you trust them to credential you and not let other folks impersonate you.

b') browser extensions already have full control over your life. That's something that should be addressed longer term, but Persona is not making this any worse.

b'') other entities cannot access the localStorage for login.persona.org, so that should be okay.

c) you're not just entering an email address. You're also proving you own it, for example by being logged into your Yahoo.com account, or by clicking the confirmation link we send you. What we're doing is minimizing the number of steps you have to take to prove you own an email address. But you still have to own it.

You should check out our documentation, which is quite thorough:

  https://developer.mozilla.org/en-US/docs/persona

I think we've provided a lot of hard data and docs to back our claims, but we're happy to provide more, of course.

[AnIrishDuck]

> how the act of entering an e-mail address is secure (other people may have access to my computer and know my e-mail address)

Assuming you're saying other people have access to your email account already, it's game over: practically every site will send password reset procedures on demand to the email you used to create your account.

Alternatively, if you're saying other people know your email address, that's not really relevant. They need to either be able to read email on your account (see above), or be able to implement an Identity Provider on your email domain.

If an unauthorized party is able to implement an IdP on your email domain you have an even worse problem: your email provider apparently is unable to control basic aspects of their own domain.

to actually implement an IdP, your email provider must publish a https://domain.com/.well-known/browserid file. If a rogue third party can do this at will, I'd say your email provider has horrible security and your security assumptions are probably broken anyway.

[bzbarsky]

Those are all great questions, indeed. I'll see if I can get people to answer them!