> Wait. So, my email provider (Yahoo) can now keep track of every website I login to, if he wants? How can I stop Yahoo being the middleman?
Nope.
Architectures like OpenID "phone home" and report your movement across the web.
Persona was explicitly designed to be privacy preserving.
> Second question, if an attacker knows my Yahoo password, can he potentially login to _all_ Persona-powered websites with my email then?
Yes, if an attacker has your yahoo email address and password, they can log in as you. BUT, you can take advantage of two factor auth from Yahoo as well as other security features they provide, to keep yourself safe.
No, because Persona mediates, and Yahoo only knows that you're using your Yahoo identity with Persona, nothing more. That's a key privacy property of Persona.
However, if you use the "login with Yahoo" button (or Google or Facebook), then yes, they can track all of your activity.
To your second point: great question! No, the attacker cannot. We still protect your other email addresses with a Persona password.
Oh wait, I misread your point. Yes, the attacker can log into all Persona web sites if they know your Yahoo password. But that's the way the cookie crumbles with federated identity. It's the same thing if you pick a Yahoo email address as your recovery email. Pick your identity providers wisely!
Isn't the second question equivalent to what we have now? If an attacker knows my Yahoo password, can he potentially reset all the passwords of sites I registered with using my Yahoo email address and login to them.
Email accounts are almost everyone's achilles. Even without Persona, the attacker could still go around to websites and request password resets if they have access to your email.
Wait. So, my email provider (Yahoo) can now keep track of every website I login to, if he wants? How can I stop Yahoo being the middleman?
Second question, if an attacker knows my Yahoo password, can he potentially login to _all_ Persona-powered websites with my email then?