We want to do better: we want to get rid of the Persona servers altogether. As tlocke said, Persona is designed to let you choose who you trust, and anything that requires centralization is considered a bug.
There are 4 points of temporary centralization, each of which can be replaced independently:
1. The JS polyfill. Until we stabilize the API, we ask that you link directly to login.persona.org/include.js
2. The persona.org interface. Once browsers have native support for Persona, that will supersede both the polyfill and the persona.org interface. This is all based on what Mike Hanson called Locally Isolated Feature Domains (LIFD): http://www.open-mike.org/entry/lifding-the-web
3. The Fallback IdP. If your email provider doesn't support Persona, Mozilla will certify your identity after you click a confirmation link sent to your email address. If your email provider does support Persona, it automatically supplants Mozilla's fallback.
If you're interested in getting involved, drop me a line and I'd be happy to help you get started.
Also: Good job on Persona - you guys deserve praise - as I said in the blog post, I'm very excited about Persona, primarily because I see it as a huge user experience improvement over the current normal sign-in flow.
Asking email address for sign-up is perhaps important, but I'm wondering why can't it be removed completely from the process? It is a piece of friction, and potentially identifying as OP puts it in his post?
Can't we be just done with the requirement of email address? Let early users, especially those who inspire the rest of the bell curve, remember their persona id with some personal questions that the user may so choose.
Get rid of anything that can be gotten rid of.
- Most everyone on the 'Net has one.
- Most everyone remembers their email address (but they might not remember what usernames they used for which websites).
- Email addresses are unique, so when a user signs up for Persona, they don't have to go through that time-wasting "this username is taken, try this one instead" process.
- Email addresses make it easy to recover forgotten passwords.
So - while I see you point - I think that email addresses are the best option.
Let's look at an ordinary user first. An ordinary user doesn't half understand the subject of privacy. He/she is rather more interested in sharing his/her best looking picture on Facebook. Or worried about landing a good job with a nice new email with all the strengths. Which is the cool app, what is the next device he can show off etc.
Why would Persona matter to such a user? A type that is majority and we've counted them all in the statement 'everyone on the 'Net has one'. So this is more like opening an end of a small pipe to the atmosphere thinking that all the air will pass through it.
Yes. But it doesn't provide any motivation for people to go and sign-up for Persona. Hence email registration only adds to friction.
- Most everyone remembers their email address (but they might not remember what usernames they used for which websites).
This one is real. Since Persona is about, well, persona it is more likely to remain etched in the memory of early adopters (ignore mass adoption for a later stage) provided it is done right, kept right etc. Mozilla is an amazing and capable organization so it should experiment more given that the project itself is an ambitious experiment.
Dumb users are dumb enough to try signing up with the same email id again. I am not very sure about Persona's positioning w.r.t same person having multiple email ids?
Agreed. However, Hacker News is a great example of why both email id and password recovery are immaterial for a product to be successful (Kudos PG!). I do agree with the simplicity of recovering forgotten password through email, but this is certainly not a show-stopper at this stage.
Another advantage is that you don't have to waste time validating your email address when you sign up for a new website. Persona has already validated your email.
IMO, another hard requirement should have been that it involve no other parties than the user and the site where they are establishing an account and that approach should be easy for everyone. Major email providers are compromised and therefore email providers should be designed out of the process. Asking average users to setup and maintain their own identity provider is asking too much.
Err, even though it does literally everything you want?
>Asking average users to setup and maintain their own identity provider is asking too much.
So you want a way to prove identity across multiple sites avoids needing any of a central provider, third party providers, and self-hosted providers? Good luck with that...
To your second point, the problem is that self-hosting an identity provider requires a domain name, Internet accessible HTTPS server, and a server certificate that is trusted per Mozzila's cert bundle. For average users to benefit they'd have to setup their own server on their own premises or turn to a third-party for [identity] hosting service. For at least baseline requirement purposes, the device the user is using should be the only device they need to carryout their account creations and logins. I haven't thought it through, but maybe there could be an @localhost format where the browser itself acts as an identity provider.
A major part of the purpose of persona is to build a system that designs out the capability to engage in surveillance against the users.
They don't necessarily need to move the Mozilla organization, but then they'd need to make Persona an organization in itself and move that organization.
This is why data on Amazon, Google or Microsoft data centers in Europe and elsewhere are still open season for US authorities. The same would apply to Mozilla.
There's another misunderstanding in the post:
> Then NSA would have access to basically 40% of a user's
> browsing history, including URLs, the email address used,
> and time of visit.
The way it currently works is that when you want to log in, a pop-up window from persona.org is opened. This would make Persona able to collect data (which I don't think they're doing, but NSA could force them to).
> As I understand it, Persona doesn't 'phone home' each time authentication is required
I'm not an expert on the inner workings of Persona, but with the way Persona currently works it actually does fetch JS from the Persona servers on each page load. Try logging in on http://personaexamples.workhere.io/ and reload the page a couple of times while checking in Firebug / Chrome Developer Tools which JS files are loaded.
By the way, as a plug, I've implemented it on my site http://www.polifesto.com/
Sure, but those files would still open the persona.org pop-up, AFAIK (until Persona has been implemented directly in the browser). So until then persona.org could theoretically gather data.
Btw, I don't want to sound negative about your article, we're both fans of Persona and I'm really pleased you're talking about it :-)
"Microsoft admits Patriot Act can access EU-based cloud data" http://www.zdnet.com/blog/igeneration/microsoft-admits-patri...
The Switzerland of data if you will. You need a durable and sizable connection to the internet, plenty of energy, strong human rights and stable governance. Iceland almost fits the bill, but their governance is not stable enough.
Actually, Switzerland is actually not a bad option. They understand the necessity of privacy and are extremely stable politically. The canton principals are an excellent political stabilizer.
Firstly, Persona doesn't have access to any such information. The only interesting information that could be extracted by owning a Persona server is that user X using IP Y wants to connect to some service - but Persona doesn't know which service. So you only get the IP.
Secondly, well, anybody can become a Persona identity provider. Do you want to host one in insert-your-favorite-country here? Well, that's quick and easy.
Unless it's just for politics, to feel better, then go for it.
If they do MITM attacks, it will probably be on US citizens. Moving Persona out of the US would at least stop the snooping on non-US citizens.
For that matter, go look up Ivy Bells. Sure, fiber can't be tapped in the same manner, but you can get around that by placing your splice/tap during other outages, especially if you arrange for those too -- "Here's <insert amount> dollars/euros/ducats/doubloons/etc. Drag this across the bottom from point x to point y on your charts on date z, then cut it loose and leave it behind and go on your way."
Now, with a straight face, can you claim that you know, for sure, that your undersea links are pristine and unmolested, either at the end points with the equivalent of the infamous at&t "nsa rooms", or somewhere in the middle? Do you know, for sure, that the people who own the fiber trunks aren't playing ball with the nsa/mi6/dgse/etc?
Unless you own the entire infrastructure, and actively monitor it to be sure of such things, it is best to assume that your communications are vulnerable at some point along the way.
This claim and the claim of "I'm probably going through the US" are two entirely different claims.
Yes, using encryption helps. Yes, using non-US datacenters help. Security is layers. Its not all hopeless. The US isn't all powerful.
You may, if you trust your hardware, your encryption software, and your key management, be able to keep that intercepted message from being read for some length of time. That is different than actually intercepting the traffic, which is trivial for the organizations we're talking about, and there is very, very little someone can do to avoid the interception.
Believing that being on a different continent makes you safe is deluding yourself.
It's a different story with Persona. Changing your entire user system isn't done overnight.
The reason that the NSA's behavior is so shocking is because Americans believed it was other countries, such as China, who possessed a vast surveillance state.
Unfortunately I can't think of a single state that has enough power and would want to keep data safe. Russia is basically dependant on US, China is not interested in keeping it safe, etc.
Tell that to Al Quaeda. You wanna depend on Ecuador/Cuba/China to protect your data? Yeah, they've got your back.
In most countries a warrant will get you access to private data - but what the NSA is doing here goes far beyond that.
Obviously, reality is entirely different but my point is that, in other countries/localities, these so-called fundamental freedoms either do not exist or are diminished. In most of the western world, governments have significant leeway into the private lives of their citizens in the areas covered by PRISM.
I think we can be reasonably certain that programs like this already exist, or are identical, in almost any country with the technical capacity to provide similar services to the US.
The US didn't invent most of those liberties. Your assumption that those liberties are not part of the law in other countries is wildly incorrect.
The assumption that most other western countries have as extensive intelligence gathering as the US needs proof. I'm aware that Sweden and the UK are quite big on data gathering, but there are hundreds of other countries in the world.
Let's look at the list of countries (order is random):
1. EU (probably only France, UK, Germany, possibly the Netherlands)
3. Canada, solely by proximity to the US
8. Australia, that's a big maybe though
11. South Korea
13. South Africa
14. Scandinavia (Finland, Denmark, Sweden)
These are the countries that likely have the technological advancement required to even offer cloud-based services of the scale and capability offered by US based organizations.
This is also assuming that significant parts of their overall connectivity does not route through US controlled territories or demarcation (which likely rules out any south-east asian country like South Korea, Singapore, also Canada and Australia).
Of those remaining on the list, very few of them have even have civil liberties legislation codified. A rough guess might be:
6. South Africa?
Israel we could likely rule-out. Not exactly the most trustworthy government, and the close ties with the US likely means that they either participate in or benefit directly from PRISM.
As a collective whole, the scandinavian countries likely could offer the level of cloud-based services provided but not individually.
So, in no particular order:
But, really, I'm not sure how much confidence you could have in any of those countries: The UK's GCHQ was very heavily involved in Prism themselves, much to our national shame, for instance.
Canada has it: http://www.michaelgeist.ca/content/view/6870/125/
Sweden has it:
A reasonable criteria could be: most reputable countries with law-abiding & transparent governments and best privacy laws. A list to start the research might include Swizerland, Iceland, Finland, Norway...
edit: never mind, reading the thread it's clear that few here have any idea what Persona is or how it works.
Right now it is indeed centralized. Check out the integration documentation and you'll see how. https://developer.mozilla.org/en-US/docs/Mozilla/Persona/Qui...
For instance, the quickstart guide mentions https://login.persona.org/include.js: "You must include this on every page which uses navigator.id functions. Because Persona is still in development, you should not self-host the include.js file."