Post by Adrian Gropperemail is a convenient way to specify a persona.
I think this is a reasonable statement. Bear in mind some will strongly
agree, some will strongly disagree. But let's so for now this is perfectly
reasonable (I think it is)
However that's not the formulation of persona etc. The formulation in
persona is slightly different
- email is the *only* way to specify a persona
This is problematic, and contrasts with widely adopted systems such as
OAuth.
There's a general principle in a lot of standards that says dont restrict
unless you have to. This also plays into the hands of webmail providers.
If I were one I'd pay people to spread the message that email was the one
identifier to rule them all, and nothing else counts. If facebook didnt
exist, you could easily think that way (not that Im saying we should all
use facebook).
Post by Adrian GropperWebFinger can transform the email into any other URI such as one pointing
to a personal authorization server with OAuth as the framework.
Only if your email provider supports this. Many are moving away from it,
or didnt use it in the first place. I think it's been turned off in a lot
of instances. Also it means, say in the case of gmail, that google control
your record, not the user. This is the downside of the convenience gained
by overloading email for 2 or 3 purposes ... and one big reason that
centralization was introduced to persona, which I think was a contributory
factor to its failure. The big webmail companies have no incentive to give
up control of email profiles.
My main point here is that, such overloading is unnecessary in a well
designed system, and not particularly hard to implement, it amounts to
tying a key value pair to an entity. This is what pretty much all
programming data structures do anyway. As I say the hack of overloading an
identifier
Post by Adrian GropperThe authentication and reputation issues then need to build upon that.
Yes! Authentication and reputation are modular concerns in themselves
built on top of the first layer. It took us a few years to work this out
in the WebID community, but this insight is a valuable one IMHO
Post by Adrian GropperAdrian
Post by Melvin CarvalhoPost by b***@gmail.comAndrew,
I looked originally at https://passwordless.net/ , which I used as
inspiration for my own (non node-js) implementation.
The big weakness of Passwordless that I had to overcome was the
verification link getting clicked on a different user agent. e.g. you
are
Post by b***@gmail.comtrying to log in on your desktop browser, but click the verification
link
Post by b***@gmail.comon your phone. This was easily solved using a websocket on the original
page to receive a pushed token as soon as the link is clicked. I guess
you
Post by b***@gmail.comcould also use long polling. Not sure what Persona did, but they also
solved this same issue.
Melvin,
If your use case involves being able to communicate with the user via
email, as I suspect many use cases do, then identity being bound to
email
I dont think this is accurate. What you are saying is you'd like to
1. Be a primary identifier for verification.
2. Be a memorable string you type into a form
3. Be a message delivery system.
This is from one perspective a neat hack, but from another perspective a
horrible architectural design decision.
Overloading is always a great sugar rush as it gets something working quite
fast (as happened with persona) ... the cracks appear down the line.
Typically in programming you tie key value pairs to entities (think JSON)
and can enrich identity with say your name, your avatar, your email address
... in fact it's open ended.
Post by b***@gmail.comOn Mon, Jan 25, 2016 at 9:53 AM, Melvin Carvalho <
Post by Melvin CarvalhoPost by Andrew DuckerPost by Andrew DuckerWhat system did you move to? I need to do this work at some point
in
Post by b***@gmail.comPost by Melvin CarvalhoPost by Andrew Duckerthe next month or two, and any advice is gratefully accepted.
Note also that a small group of people is currently hacking on a new
https://github.com/letsauth/letsauth.github.io/wiki
You might want to see how they fare (the group includes some people
who also worked on Persona, including myself).
Nice idea.
But it suffers from the same weaknesses as Persona.
- Lacks slightly a clean separation of identity and and authentication
(verifying identity) -- I may be wrong there
- Is too tightly bound to email. Inevitably you'll go up against the
big
Post by b***@gmail.comPost by Melvin Carvalhowebmail providers who will end up shutting you down. Or you'll
introduce
Post by b***@gmail.comPost by Melvin Carvalhoa
central point of failure a la Persona.
Do we really want to repeat the same mistakes again? A much better way
IMHO is to allow any type of identity (ie a URI) and offer the user
that
Post by b***@gmail.comPost by Melvin Carvalhofreedom, which OAuth does a lot better. Then allow cryptographic
proofs
Post by b***@gmail.comPost by Melvin Carvalhoto
verify that identity, instead of having to remember a password for
every
Post by b***@gmail.comPost by Melvin Carvalhosite -- or in the case of Persona two passwords per email address!
Post by Andrew DuckerCheers,
Dirkjan
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity
--
Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/