| HN Mirror

Sent some feelers out to devs I respect. Verdict is mostly negative on Persona.

Seems like Mozilla is merely providing bare bones support for Persona these days, and has stopped funding it: http://identity.mozilla.com/

Further, and this is the real nail in the coffin for me, it seems like if you wish to change your email address or lose access to it, there's no way to migrate all accounts at once. It's up to the implementor to support that: https://developer.mozilla.org/en-US/Persona/The_implementor_...

Fun note: Until recently, Email wasn't even required to sign up for GS. A Hacker News user pointed out that without this there's no way to let a user reset their password, so I made it required (though there's still no actual way to reset your password yet. Eeps!) https://news.ycombinator.com/item?id=8521505

Mozilla has stopped funding Persona but they have not stopped working on it.

Mozilla just doesn't know how to market their technical stuff properly...

I keep digging (since the site isn't breaking, yay!) but it just keeps not looking good.

On the github, in the last month, a total of four people have committed code eleven times. One committed more than all the others combined.

Also, I originally said:

> Feel free to try and convince me, but I have never seen the point in tying my uptime to the uptime of a third party, and allowing a third party to revoke my users account if they so wish.

How does Persona not fall foul of both of these? Let's say that I implement Persona and someone uses their Gmail to create an account. Gmail goes down. Can they sign into my site or is my site effectively down for all gmail users?

What if that same user is booted off of Gmail or closes their Gmail account for whatever reason? Are they not then booted off of my site by accident?

This person does a good job of explaining what I'm talking about: https://news.ycombinator.com/item?id=7243265

Persona is not necessarily tied to gmail. Persona offers a gmail gateway. As long as a user has a way of authenticating against the persona server using the provided email, they are fine. This could be their facebook account just as well.

Maybe you should talk to Dan Callahan, he'll be happy to answer your questions in more details I'm sure. I'm saying that because you sound like Persona could benefit you and Persona certainly could use more people like you criticizing it :)

So this comes back to tying accounts to emails: Well, this is the user's choice. They put their internet life into the hands of Google or Yahoo or whatever by choosing such an email provider that may go down at any time. It's completely reasonable and does not actually put YOU in a position where your sites locks users into a third party, you are just giving more choice.

As for activity: although it's not on git, there has been renewed interest in Persona lately. And until a better alternative comes by (which won't be for a long, long time) I'll defend persona tooth and nail because, it may not be perfect, but it is far better than what is currently taking over the entire web.

I know that it's not necessarily tied to Gmail. My point was that now my site is dependent on their relationship to whatever they authenticated against. It might be gmail, it might be Facebook, it might be anything. If that thing either goes away, or revokes their access, they're gone from my site as well. That doesn't sit well with me.

> They put their internet life into the hands of Google or Yahoo or whatever by choosing such an email provider that may go down at any time. It's completely reasonable and does not actually put YOU in a position where your sites locks users into a third party, you are just giving more choice.

It's not reasonable. Not to me anyway. And isn't putting your internet life into the hands of any single place exactly antithetical to the entire idea of decentralization?

> it may not be perfect, but it is far better than what is currently taking over the entire web.

It's better than Facebook Connect or things like that, sure. But we aren't comparing it to that, we're comparing it to individual logins. Individual logins put the relationship into the hands of the users and me. That's where it should be.

KeePass and apps like that provide all of the major benefits to users without any of the downsides.

You need to read up on Persona more, specifically on persona gateways. They are not what you think they are.

I meant what I said: talk to Dan. You'll find it interesting, I am sure.

I'll look into Persona. It probably won't be today as I'm trying to be extra attentive to the site while I'm drumming up traffic, but it's on my list now.

In theory you could build it in one sitting then share it. And I suppose there's use there. I don't particularly like the idea of people not being (necessarily) able to edit after the fact. That might not be as big of a downside as I think it is though. I'll mull that over as well. It works for imgur, after all, and even though I have an account I fairly often use it without signing in...

I think this is mitigatable by allowing your users to merge their account into a new one. So this is functionality you can implement serverside, persona does not by itself prevent your users from changing their email - it just doesn't provide the possibility (right now?)