|
My biggest problem with Persona, is that I don't own an identity. My identity is provided to me by some third party. Even if I host an identity provider on my physically owned server, the identity is still not mine, as I can't own a domain (domains are leased from a registrar, not bought). It also does not solve many problems OpenID had. For example, multiple identities ("which provider did I use here?") got even worse and migration is still completely manual (go everywhere, tell them you have new email, good luck if you already don't have the old one) and, rephrasing the OP title, "I long for the future where I can safely assume my email provider is compromised" is impossible with Persona, too. The point is, I believe, the Persona already has known design-level problems and, I guess, will eventually go away, replaced by something else. And I don't really understand why we need such steps and finally get to the point we are the source and are in possession of our own identities, and others are just trusted third parties that are asserting our descriptions of ourselves. Standardize an secure key escrow (sync) protocol, think about UI/UX issues (present-day browsers HTTPS certificate UI is plain ugly), have some advertisement and educating articles and that's about it. (Added after some thinking) Well, maybe I'm oversimplifying it, though, and things are harder than I believe they are... But the only problem I ever had with GPG (which I used as identity system) is key loss and temporary unavailability. And this could be really mitigated by key escrow (trading a bit of security for usability). |