The part that bugs me is that it seems to rely on clients keeping a private key secret and I'm not sure we can trust clients that are often programs downloaded off the internet to do so. What stops a maliciously coded BrowserID client from sending the user generated private key to a web service (the RP) along with the identity assertion?
Wouldn't this allow this malicious RP to login to other services that support Persona on the user's behalf and read and write info from his other accounts at least for the duration of the certificate?
This certainly wouldn't happen in the Mozilla implementation of the browserID client and I'm not sure it's a huge concern. Since the certificates are of short duration it's certainly not as bad as people using the same password across different services. And of course all single signin systems have risks when malicious services are involved such as the impersonation of the login page to get users to reveal their passwords but still, can someone put my mind at ease about this particular case?
Edit: Before I talked about some stuff that you obviously already knew :)
Edited more: If you ship the user a malicious client and the user runs it, you can just keep his email password. This probably grants you access to all of his accounts for longer than the cert would last anyway. If the user uses 2-factor auth, the private key + cert combo is more useful than the password though.
It's a simple method for any email supplier to supply a key asserting that a particular email address is owned by a particular person, that that person can then use to authenticate elsewhere.
I'm actually somewhat baffled that it's taken this long for someone to come up with it!
But it turns out they mean "non-web" as in "ssh, imap, etc."
I keep waiting for someone to come up with something better than handwritten signatures; a (H)MAC of some sorts seems the way to go. It just doesn't come... And yes, I've also tried to devise my own system to cryptographically sign documents, but it's not practical yet. Basically you're converting the document to a digital format before generating a 128-bit signature (that you can then put on the paper as 16 Unicode characters), which is not really ideal.
Identity is much more slippery than you are making it out to be. A signature doesn't prove it. An authentic government document doesn't prove it (it just verifies that you went through that particular identity verfication process).