[groks]

That's right, you're not a 'provider', you're a 'relying party' - but you are unconditionally relying on the bootstrap mozilla service. You're not supposed to swap that out and rely on some other service, you're supposed to look at the assertion provided by the browser (or the javascript shim right now, while we bootstrap). Who you verify the assertion with depends on the user's email address.

So, if tomorrow Google added support for browserid to Gmail, and jo@gmail.com tries to log in to your website, he would claim to be jo@gmail.com and pass you an assertion to that effect. You need to check that with Gmail. Of course, Gmail being popular you've probably already checked the assertion of many people claiming to have Gmail logins, so you already have the Gmail key cached, and can verify the assertion without any http requests to anywhere.

Right now, Gmail does NOT implement browserid, so the assertion which you receive will be that jo@gmail.com is vouched for by the mozilla browserid service, so you will end up checking the URL you've hard coded.

But if it's hard coded we can't proceed to the next stage, which is the distributed promise of browserid. AND, it puts lets less pressure on the likes of Gmail to implement browserid because no one will be checking gmail.com/.well-known/browserid.

[seanmonstar]

Actually, the the verifier (verifier.login.persona.org) runs code that could be run on any server. It _does_ check Gmail for the well-known file first, and then, since not found, uses the fallback of login.persona.org.

As soon as Gmail (or any id provider) implements a well-known file, the verifier will immediately use that instead.

And the script that does all this _could_ be run on your own server. The only reason we don't quite yet tell people to do that is to be absolutely sure the verifier is correct in every step. It's harder to get everyone to upgrade their own server, so while in beta, we offer the verifier.

[groks]

I think this is a bad idea:

You are using marketing terms like "Persona is distributed. Today" (last weeks blog title) but it isn't, because every auth request flows through mozilla servers. You are also advertising that it is so simple, the entire website example is 70 lines of python (recent talk), but it isn't, because you aren't implementing browserid, you're delegating to the centralised mozilla server.

Advertising that it is distributed and simple does not accurately communicate the current state of the implementation. Look at the spec:

https://github.com/mozilla/id-specs/blob/prod/browserid/inde...

> This assertion is a Backed Identity Assertion, as defined above. We call it assertion here for simplicity, since the Relying Party typically need only pass this assertion to a verifier service without worrying about the specific semantics of the assertion string.

It does not say that the centralised mozilla verifier is temporary, but expected.

This all leads to people getting the wrong impression. As you say, it is hard to get people to update software on their servers, but they don't even know that they have to - because it's distributed, today, and simple - so they aren't going to be looking. Another group of people are going to look at the spec and implementations and think: what is the point of yet another login scheme which just pipes everything through mozilla?

This is not going to help the adoption of browserid.

[sergiotapia]

I see what you mean now. I understand, but don't know how I could fix this. _Can_ this be fixed with the current state of Persona?

Specifically:

>Gmail key cached, and can verify the assertion without any http requests to anywhere.

Would love to read some example code if you have some. Thanks!

[groks]

This is the best example I've found:

https://github.com/mozilla/PyBrowserID/blob/master/browserid...