I just watched the video. So, apparently, the long-term goal is to have email providers to support this and sign user certificates. I'm still not clear on what information a certificate would contain.
More importantly, I really dislike the answer to second question from the audience. Even when the system is fully supported without fallbacks, hacking person's email account will grant the attacker ability to log into all websites as the victim?
I already am quite concerned with how much control over everyone's identities services like Gmail have. If I understand it correctly, Persona will give them more direct control over user's identities. It's only decentralized in a sense that different email providers will be able to implement it separately, and verify identities of their users.
I hope I'm missing something from the big picture here.
Persona does place a lot of power in the hands of email providers, but as Flimm points out, that's already the status quo. Persona doesn't make that any worse.
What's more, Persona can be used with any email provider, so users can control who they trust, or take that trust into their own hands. Because that trust relationship is more explicit, users are (as your post demonstrates) more likely to consider the implications of trusting a specific email provider, which is a good thing.
A world with better password reset policies is still a world with passwords, and leak after leak have shown that 1) it's hard to get every site to do the right thing, and 2) people use and re-use terrible passwords. Persona lets sites do the right thing by default (since there is no password to store), and it lets me as a user better control my own security.
> Even when the system is fully supported without fallbacks,
> hacking person's email account will grant the attacker
> ability to log into all websites as the victim?
With or without Persona/BrowserID, your email account(s) is the key for logging into a whole bunch of other Web services, since it is already used for resetting passwords and such. Persona/BrowserID does not solve this problem.
The big picture is that it makes distributed identity easy for the average user to grok.
> If I understand it correctly, Persona will give [identity services like Gmail] more direct control over user's identities.
No, Gmail already has that control. Almost every website out there allows you to reset your password by sending you an email. If you control the user's email, you can change their passwords. Persona changes nothing in this regard.
1. Right now, Gmail has only as much control over accounts as individual website developers give it. It's up to us to implement alternative password reset system and make them the default. Any website can (and in my opinion should) switch to something else at any time, because, firstly, password reset system is decoupled from core authentication mechanism and, secondly, it is under web developer's control. Mass adoption of Persona will change this problem from locally solvable to unsolvable. If this becomes the authentication standard (which seems to be the project's goal), you will have to trust user's email provider.
2. Right now, Gmail can reset your password, but it cannot silently authorize someone else to use your account without you knowing. It seems (and correct me if I'm wrong here), that with Persona such scenarios will become possible.
1. You're comparing Persona to an imaginary world where most websites don't rely on email providers to prove authentication. I'm comparing Persona with the actual situation where people use the same password everywhere. Persona isn't perfect, but it is much better than what the vast majority of websites use, and it allows even better methods to be implemented where needed. Furthermore, Persona is more usable, and therefore more attractive and more likely to be deployed widely.
2. Yes, it can. It can delete password reset notifications. If the notification contained the password in plain text, then there would be no easy way to find out whether Gmail logged in to your account on X. If the notification contained a password reset link, there is a possibility that the user would subsequently discover that their password was no longer accepted on X. But given that most users use the same password everywhere, Gmail already has a huge potential for evil, as it could just use the passwords it has already collected. Users that worry about Gmail can use an alternative email provider or their own, after all, email and Persona are both decentralised. Website developers that worry about Gmail can use other authentication methods on top of Persona, such as in-house two-factor authentication.
tldr; if Gmail is evil, both Persona and current systems can't stop it. If that worries you, use your own email server, and use other authentication methods on top of Persona on your websites.
You're comparing Persona to an imaginary world where most websites don't rely on email providers to prove authentication.
I'm comparing hypothetical mass-adoption of Persona with hypothetical mass-adoption of alternative password reset policy. It seems like a fair comparison.
Or another way to look at it is that you put the burden of choosing a responsible identity provider on the user. If the user chooses poorly they get owned, not you.
