A few people and I have been talking about Persona and possibly developing a next version, we're chatting on https://gitter.im/letsauth/LetsAuth, or #letsauth on Freenode. Feel free to join either, we'd love to brainstorm together.
I like the idea of maybe pursuing a extension-first plan for the next attempt at BrowserID. Some thoughts:
- There have been Persona extensions before for at least Firefox. It will probably be important to learn from them, even if I'm sure hardly anyone tried to use them.
- Edge's extension support can't come soon enough.
- The issue I could see with extensions is it is harder to trust the verified email addresses in "fallback" situations. The chicken and egg bootstrap problem here still seems to indicate that you still want some sort of trusted notary. Maybe a simpler fallback provider that is just a state-less "passwordless" (passwordless.net) proxy that would be easy to clone and some way to create an actively maintained whitelist of trustworthy clones?
- While we're looking at "extension-first", maybe find ways to make use of the browser's SSL client certificate infrastructure? Obviously, if you could build a good UX for bootstrapping (email-only) client certificates you could finally help people make good use of such an old, underutilized browser feature.
Thanks. Note that I tried to write an accurate roadmap based on the discussion, but it was not the only roadmap I could've written – early stage, goals still to define.
> There have been Persona extensions before for at least Firefox. It will probably be important to learn from them, even if I'm sure hardly anyone tried to use them.