
Identity/Persona Shutdown Guidelines for Reliers - CapacitorSet
https://wiki.mozilla.org/Identity/Persona_Shutdown_Guidelines_for_Reliers
======
onli
Shameless plug: Portier is a FOSS project to replace Persona,
[https://portier.github.io/](https://portier.github.io/). We also just had our
time on the HN frontpage,
[https://news.ycombinator.com/item?id=12837669](https://news.ycombinator.com/item?id=12837669).
Lots of questions were answered there, but feel free to ask here as well if
anything is unclear.

~~~
captainmuon
This is pretty cool, I might try it one day if I build a site that needs
login.

But this is a lot different than Persona, right? Portier is passwordless login
via email (with special handling for Gmail), whereas Persona is another of
those "Log in via" buttons (simply speaking)?

~~~
fiatjaf
No. They work pretty much the same, except Portier is stateless, and Personal
needed you to create an account before use, which was unnecessary. Persona
also had special handling for Gmail. Portier will probably add more "special
handling" cases in the near future.

~~~
WorldMaker
Persona only required you to create an account if your email provider didn't
support it (or your custom domain doesn't delegate it) or they didn't have
special handling for your email provider. There was a bunch of confusion about
this early on because a lot of potential early adopters were generally geeks
like us who have our own email domains and didn't automatically fall into the
special handling (which Persona supported Gmail and Yahoo, which remain the
two largest email domains).

~~~
callahad
Technically, you _always_ created an account when you used Persona. Sometimes
with a password, sometimes without. Sometimes old passwords would come back to
haunt you if your domain added and then removed support for BrowserID.
Sometimes you would accidentally set up two accounts, because you added a new
address to the Persona UI in the wrong order. Sometimes addresses would
mysteriously bounce between Persona accounts, because we updated the
address/account association on each use. Sometimes you needed a password and
sometimes you didn't for the same address, because we supported un-
decentralizing Persona on a per-website basis.

...the account story in Persona was way more complicated than it should have
been, mainly stemming from the notion that per-login email confirmation loops
were too onerous to be viable, and from the idea that users wouldn't succeed
with Persona unless it remembered and displayed all of their email addresses
in a consistent, persisted account chooser.

------
kibwen
If you're a fan of the idea behind Persona, it looks like there's a spiritual
successor from some Mozilla veterans called Portier, which can be self-hosted
(and is written in Rust, if that's your thing :P ). Recent announcement and HN
discussion here:
[https://news.ycombinator.com/item?id=12837669](https://news.ycombinator.com/item?id=12837669)

~~~
Flimm
The main thing I was keen about was browser integration, which only the
browser vendors could provide.

~~~
reitanqild
Couldn't it be done as a Firefox extension?

~~~
anc84
Yes, but adoption would a tiny fraction of mainline support/promotion could
accomplish.

~~~
reitanqild
Late reply, but:

I think this is one of a few areas where a browser or extension developer can
create something that will force every other browser vendor to adapt, sooner
or later.

Last time I feel that happened was with tabs, so IMO this should is a high-
value target even if nobody seems to be interested ATM.

------
luso_brazilian
Previous discussion of the original announcement (Jan 2016):
[https://news.ycombinator.com/item?id=10884893](https://news.ycombinator.com/item?id=10884893)

A decentralized way to authenticate users securely and privately would be an
exceptional addition to the open internet.

Unfortunately in this case the financial incentive and favors those building
"information silos" where the purpose is information collection for profit.

I wonder if SMTP would ever see the light of the day with the current mindset
as opposed to a "Facebook Messenger"-like multitude of services, much like
what happened with the IM fragmentation.

------
aestetix
"Why is persona.org being shut down? Our metrics show that usage of
persona.org is low, and has not grown over the last two years.

Hosting a service at the level of security and availability required for an
authentication system is no small undertaking, and Mozilla can no longer
justify dedicating limited resources to this project. We will do everything we
can to shut it down in a graceful and responsible manner."

I find this a bit confusing because citing low usage and lack of growth is
something I'd expect to hear from a for-profit corporation, not a well funded
non-profit. Have they shared information on how expensive it is to maintain
Persona? I'm also unaware of any pledge drives to get funding for it.

~~~
syshum
I found it confusing that they expected growth over the last 2 years when in
2014 they functionally announced they were going to abandon it, transitioning
it to "community ownership"

This is a self fulling prophecy

~~~
pekk
They have the right to set their level of involvement or investment, and it is
only polite to peg that level of involvement to whether any significant number
of people are using the thing. It doesn't mean they were obligated to try to
actively market persona while also planning to shut it down, that would make
even less sense.

------
Flimm
Such a shame. Persona was a hugely exciting project. It always disappointed me
that Mozilla never fully implemented the vision of Persona integration in the
browser, and it puzzles me that Mozilla seem surprised that Persona didn't get
much adoption.

I still think there's potential for improving user authentication in a way
that's usable, privacy conscious and fast, without a costly shim service like
persona.org. Maybe Firefox could finally implement the Persona API in the
browser for sites to use?

------
captainmuon
I tried Persona back then when it was new, and found it pretty confusing (as a
user). Still, it feels like a lost opportunity that it is shutting down.

Can someone tell, in a nutshell, what the difference was between OpenID/OAuth
(I mean whatever the heck it is that allows me to "log in using my
Google/Facebook/GitHub account". I always mix up those two.)?

Is it just that you use your e.g. Gmail or other third party email address,
but then the authentication is not done by your email account provider, but by
Mozilla?

~~~
Flimm

      ╔════════════════════════════════════════╦═══════════════════════════════════════════╦══════════════════════════════════════════╦════════════════════════════╗
      ║                                        ║ Persona with browser and email server     ║ persona.org shim                         ║ OpenID                     ║
      ║                                        ║ integration                               ║                                          ║                            ║
      ╠════════════════════════════════════════╬═══════════════════════════════════════════╬══════════════════════════════════════════╬════════════════════════════╣
      ║ User identifier                        ║ email address                             ║ email address                            ║ URI                        ║
      ╠════════════════════════════════════════╬═══════════════════════════════════════════╬══════════════════════════════════════════╬════════════════════════════╣
      ║ Auth provider                          ║ Email server                              ║ persona.org                              ║ OpenID server              ║
      ╠════════════════════════════════════════╬═══════════════════════════════════════════╬══════════════════════════════════════════╬════════════════════════════╣
      ║ Passwordless                           ║ Just one password for your email server   ║ One for the shim, and one for your email ║ One for your OpenID server ║
      ╠════════════════════════════════════════╬═══════════════════════════════════════════╬══════════════════════════════════════════╬════════════════════════════╣
      ║ Provider sees where you log in         ║ No                                        ║ No                                       ║ Yes                        ║
      ╠════════════════════════════════════════╬═══════════════════════════════════════════╬══════════════════════════════════════════╬════════════════════════════╣
      ║ Provider must stay online at all times ║ No, auth tokens are cached                ║ No, but persona.org must stay online     ║ Yes                        ║
      ╠════════════════════════════════════════╬═══════════════════════════════════════════╬══════════════════════════════════════════╬════════════════════════════╣
      ║ Requires Javascript                    ║ Yes                                       ║ Yes                                      ║ unknown                    ║
      ╠════════════════════════════════════════╬═══════════════════════════════════════════╬══════════════════════════════════════════╬════════════════════════════╣
      ║ Fallback available                     ║ Yes, just use the email                   ║ Yes, just use the email                  ║ None                       ║
      ╠════════════════════════════════════════╬═══════════════════════════════════════════╬══════════════════════════════════════════╬════════════════════════════╣
      ║ Ability to contact user                ║ Yes, just use the email                   ║ Yes, just use the email                  ║ None                       ║
      ╠════════════════════════════════════════╬═══════════════════════════════════════════╬══════════════════════════════════════════╬════════════════════════════╣
      ║ Implemented                            ║ In no desktop browsers or email providers ║ Yes                                      ║ Yes                        ║
      ╚════════════════════════════════════════╩═══════════════════════════════════════════╩══════════════════════════════════════════╩════════════════════════════╝

~~~
anarcat
that's a great chart, but a few corrections about OpenID:

Provider must stay online at all times: the OpenID provider needs to be online
when you login to the consumer site, after that, you have a session with that
site and the provider doesn't need to be online.

Requires Javascript: there's a fallback in OpenID.

Ability to contact owner: there are extensions to propagate attributes like
email addresses that are commonly supported.

~~~
cdcarter
I think the key point is that _by design_ , OpenID Connect doesn't necessitate
that the identity provider reveals the users email address to the service
provider. The identity provider can choose to include that in the token (or
the UserInfo endpoint) or they can hide it behind another OAuth scope and
explicit permission.

Whereas by design, Persona does mean the service provider has access to your
email address. For consumer applications, this is probably fine, but it's a
very different assumption than most access and authorization use.

------
krmbzds
Persona was a great service. Such a shame.

------
phkahler
>> Identity/Persona Shutdown Guidelines for Reliers

I can't parse this headline. It sounds like a weird psychological problem of
some sort ;-)

~~~
JadeNB
Yeah, this one
[https://news.ycombinator.com/item?id=12862355](https://news.ycombinator.com/item?id=12862355)
is weird too. I think it's "((Identity/Persona Shutdown) Guide) for Reliers",
i.e., a guide to the shutdown of Identity/Persona for people who rely on
Identity/Persona.

------
barkingcat
posted in wrong thread!

~~~
callahad
I think you mean to be in this thread:
[https://news.ycombinator.com/item?id=12861815](https://news.ycombinator.com/item?id=12861815)

~~~
barkingcat
oops you are right!

------
natuac
The fact that they keep throwing money at useless stuff like that new design
for their logo, while at the same time they refuse to keep useful services
online, is a clear sign of the downfall of the Mozilla Foundation.

~~~
josho
> refuse to keep useful services online

The project failed to gain widespread adoption. An org that runs marginally
valuable side projects indefinitely is an org that is going to face a
downfall.

Like you, I'd love to see a better authn mechanism, but Persona wasn't going
to be it. So, this frees their resources to focus on what is going to continue
making Mozilla relevant. Certainly a declining user base on Persona wasn't
going to be it.

~~~
Flimm
My opinion is that Persona was still untested, we will never know whether
Persona was going to be it or not because they never launched the browser
integration.

