- There have been Persona extensions before for at least Firefox. It will probably be important to learn from them, even if I'm sure hardly anyone tried to use them.
- Edge's extension support can't come soon enough.
- The issue I could see with extensions is it is harder to trust the verified email addresses in "fallback" situations. The chicken and egg bootstrap problem here still seems to indicate that you still want some sort of trusted notary. Maybe a simpler fallback provider that is just a state-less "passwordless" (passwordless.net) proxy that would be easy to clone and some way to create an actively maintained whitelist of trustworthy clones?
- While we're looking at "extension-first", maybe find ways to make use of the browser's SSL client certificate infrastructure? Obviously, if you could build a good UX for bootstrapping (email-only) client certificates you could finally help people make good use of such an old, underutilized browser feature.
> There have been Persona extensions before for at least Firefox. It will probably be important to learn from them, even if I'm sure hardly anyone tried to use them.
Do you know some? I only found https://addons.mozilla.org/en-US/firefox/addon/browser-sign-..., which is old (but new to me) and it seems defunct. I'm not sure whether the source code is accessible. https://www.youtube.com/watch?v=um0Ym-Yma8Y looks nice though.
Thanks for the hint to passwordless.net. A simpler fallback-provider might be exactly right, maybe even something for stage 1.5.
The BrowserID protocol actually has a user certificate as endpoint. I'm not sure how and whether that is stored.