Hacker News new | ask | show | jobs
by negativeview 4242 days ago
Sent some feelers out to devs I respect. Verdict is mostly negative on Persona.

Seems like Mozilla is merely providing bare bones support for Persona these days, and has stopped funding it: http://identity.mozilla.com/

Further, and this is the real nail in the coffin for me, it seems like if you wish to change your email address or lose access to it, there's no way to migrate all accounts at once. It's up to the implementor to support that: https://developer.mozilla.org/en-US/Persona/The_implementor_...

Fun note: Until recently, Email wasn't even required to sign up for GS. A Hacker News user pointed out that without this there's no way to let a user reset their password, so I made it required (though there's still no actual way to reset your password yet. Eeps!) https://news.ycombinator.com/item?id=8521505
1 comments
scrollaway 4242 days ago
Mozilla has stopped funding Persona but they have not stopped working on it.

Mozilla just doesn't know how to market their technical stuff properly...

link
negativeview 4242 days ago
I keep digging (since the site isn't breaking, yay!) but it just keeps not looking good.

On the github, in the last month, a total of four people have committed code eleven times. One committed more than all the others combined.

Also, I originally said:

> Feel free to try and convince me, but I have never seen the point in tying my uptime to the uptime of a third party, and allowing a third party to revoke my users account if they so wish.

How does Persona not fall foul of both of these? Let's say that I implement Persona and someone uses their Gmail to create an account. Gmail goes down. Can they sign into my site or is my site effectively down for all gmail users?

What if that same user is booted off of Gmail or closes their Gmail account for whatever reason? Are they not then booted off of my site by accident?

This person does a good job of explaining what I'm talking about: https://news.ycombinator.com/item?id=7243265

link
scrollaway 4242 days ago
Persona is not necessarily tied to gmail. Persona offers a gmail gateway. As long as a user has a way of authenticating against the persona server using the provided email, they are fine. This could be their facebook account just as well.

Maybe you should talk to Dan Callahan, he'll be happy to answer your questions in more details I'm sure. I'm saying that because you sound like Persona could benefit you and Persona certainly could use more people like you criticizing it :)

So this comes back to tying accounts to emails: Well, this is the user's choice. They put their internet life into the hands of Google or Yahoo or whatever by choosing such an email provider that may go down at any time. It's completely reasonable and does not actually put YOU in a position where your sites locks users into a third party, you are just giving more choice.

As for activity: although it's not on git, there has been renewed interest in Persona lately. And until a better alternative comes by (which won't be for a long, long time) I'll defend persona tooth and nail because, it may not be perfect, but it is far better than what is currently taking over the entire web.

link
negativeview 4242 days ago
I know that it's not necessarily tied to Gmail. My point was that now my site is dependent on their relationship to whatever they authenticated against. It might be gmail, it might be Facebook, it might be anything. If that thing either goes away, or revokes their access, they're gone from my site as well. That doesn't sit well with me.

> They put their internet life into the hands of Google or Yahoo or whatever by choosing such an email provider that may go down at any time. It's completely reasonable and does not actually put YOU in a position where your sites locks users into a third party, you are just giving more choice.

It's not reasonable. Not to me anyway. And isn't putting your internet life into the hands of any single place exactly antithetical to the entire idea of decentralization?

> it may not be perfect, but it is far better than what is currently taking over the entire web.

It's better than Facebook Connect or things like that, sure. But we aren't comparing it to that, we're comparing it to individual logins. Individual logins put the relationship into the hands of the users and me. That's where it should be.

KeePass and apps like that provide all of the major benefits to users without any of the downsides.

link
scrollaway 4242 days ago
You need to read up on Persona more, specifically on persona gateways. They are not what you think they are.

I meant what I said: talk to Dan. You'll find it interesting, I am sure.

link
negativeview 4242 days ago
I am not talking about the gateways. I am talking about the identity providers. If your identity provider goes out of business, revokes your access, or any number of other things, you lose your credentials to all sites.

For instance, here's a site with a guy trying to sell you on using IDPs from a big company rather than a small. One of his points though is that the IdP is a single point of failure, exactly my point:

https://www.tbray.org/ongoing/When/201x/2013/08/14/FC2-Singl...

Under the heading "Other Failures."

link