[clauretano]

You can run your own persona identity provider on your own domain, then use an email address at that domain to log in. You get to control the authentication, the password policy, decide on multi-factor, etc.

This actually very much can solve the inability people have to control their identity on the web.

[SudoNick]

It appears to me that in order to run your own Persona Identity Provider you must setup and maintain an SSL capable webserver for your email domain, equipped with a certificate that chains up to one in Mozilla's bundle (no self-signed cert), configured to handle the Persona protocol and authenticate you. FWIW, some (including myself) run email-only domains/servers with unnecessary services (httpd!) purposely disabled in order to reduce attack surface and administration chores.

AFAICT, even if you do setup your own Persona Identity Provider you would not have control over Relying Parties (websites you login to) and how they verify identity assertions. IOW, you couldn't prevent Relying Parties from taking the easy way out and issuing backend calls to Mozilla's verification service. Which would leak Email Address, Login Site, and time information to Mozilla. Nothing against Mozilla BTW, it's just a third party in such contexts and thus should not be privy to any information about account creations and/or logins.

I think those who run a strong browser config (limiting third party scripts, third party cookies, and/or cross site requests) would have to weaken their setup to even allow the Persona mechanisms to work correctly.

[cinquemb]

When i think of people controlling their identity, i dont think of just an email address. I think of their name, their gender, what they look like and the context their data is put in on the web.

Persona seems like it has everything to do with the signup/login process, and not the actual identity of the person who already has some kind of data of that kind floating around the internet (the kind people want to sell to others).

There's no way that this gives someone the ability to go back and erase whats already out there now and somehow give them control over where their information resides and how it's used more than it is now.

Maybe i'm missing something, but this doesn't seem to provide any more utility that i need now since i haven't even incorporated any social login to my site anyways (and don't plan on it either).