We want to do better: we want to get rid of the Persona servers altogether. As tlocke said, Persona is designed to let you choose who you trust, and anything that requires centralization is considered a bug.
There are 4 points of temporary centralization, each of which can be replaced independently:
1. The JS polyfill. Until we stabilize the API, we ask that you link directly to login.persona.org/include.js
2. The persona.org interface. Once browsers have native support for Persona, that will supersede both the polyfill and the persona.org interface. This is all based on what Mike Hanson called Locally Isolated Feature Domains (LIFD): http://www.open-mike.org/entry/lifding-the-web
3. The Fallback IdP. If your email provider doesn't support Persona, Mozilla will certify your identity after you click a confirmation link sent to your email address. If your email provider does support Persona, it automatically supplants Mozilla's fallback.
4. The Hosted Verifier. Until we stabilize the data formats, we recommend that sites POST identity assertions to verifier.login.persona.org/verify for verification. The assertions necessarily contain your email address and the site you're logging into. We want this to go away soon, and François Marier has suggested a pretty slick way to get us there. Until then, we've got a strong privacy policy in place and we limit the data we log. I believe Ben Adida is going to comment more on that shortly.
If you're interested in getting involved, drop me a line and I'd be happy to help you get started.
Thanks for commenting - it's good to hear that you are aware of the issues and that Persona is moving in the right direction.
Also: Good job on Persona - you guys deserve praise - as I said in the blog post, I'm very excited about Persona, primarily because I see it as a huge user experience improvement over the current normal sign-in flow.
To clarify more: Persona is not "moving in this direction," it has always been designed as a completely decentralized identity solution. The Persona server is just a boostrap to get it started so here's what you can do: create as many identity providers as you can! Seriously, put one in every country.
I think persona is extremely useful. The only addition I'd like is for a similar service that allows you to query an identity provider for a public key for a user.
> Mozilla will certify your identity after you click a confirmation link sent to your email address.
Asking email address for sign-up is perhaps important, but I'm wondering why can't it be removed completely from the process? It is a piece of friction, and potentially identifying as OP puts it in his post?
Can't we be just done with the requirement of email address? Let early users, especially those who inspire the rest of the bell curve, remember their persona id with some personal questions that the user may so choose.
- Most everyone remembers their email address (but they might not remember what usernames they used for which websites).
- Email addresses are unique, so when a user signs up for Persona, they don't have to go through that time-wasting "this username is taken, try this one instead" process.
- Email addresses make it easy to recover forgotten passwords.
So - while I see you point - I think that email addresses are the best option.
Email addresses aren't exactly unique per-person though. I frequently forget which email I've used on a website, but rarely the username (except for ones where I don't get to choose)
I mostly agree. Now this may be a bit difficult to explain, but all the logic in the points above sort of align towards the intent of achieving mass adoption. But I am afraid that mass adoption is not going to happen just like that. And it is certainly not going to depend on the fact that everyone uses email.
Let's look at an ordinary user first. An ordinary user doesn't half understand the subject of privacy. He/she is rather more interested in sharing his/her best looking picture on Facebook. Or worried about landing a good job with a nice new email with all the strengths. Which is the cool app, what is the next device he can show off etc.
Why would Persona matter to such a user? A type that is majority and we've counted them all in the statement 'everyone on the 'Net has one'. So this is more like opening an end of a small pipe to the atmosphere thinking that all the air will pass through it.
- Most everyone on the 'Net has one.
Yes. But it doesn't provide any motivation for people to go and sign-up for Persona. Hence email registration only adds to friction.
- Most everyone remembers their email address (but they might not remember what usernames they used for which websites).
This one is real. Since Persona is about, well, persona it is more likely to remain etched in the memory of early adopters (ignore mass adoption for a later stage) provided it is done right, kept right etc. Mozilla is an amazing and capable organization so it should experiment more given that the project itself is an ambitious experiment.
- Email addresses are unique, so when a user signs up for Persona, they don't have to go through that time-wasting "this username is taken, try this one instead" process.
Dumb users are dumb enough to try signing up with the same email id again. I am not very sure about Persona's positioning w.r.t same person having multiple email ids?
- Email addresses make it easy to recover forgotten passwords.
Agreed. However, Hacker News is a great example of why both email id and password recovery are immaterial for a product to be successful (Kudos PG!). I do agree with the simplicity of recovering forgotten password through email, but this is certainly not a show-stopper at this stage.
I don't think Persona is pitched for the tech-savvy. On the contrary, I think Persona offers a huge advantage for normal users: You can do one-click sign-ups and log-ins for new websites (provided that you've already signed up for Persona and that you've checked the "save my session" button or whatever it's called).
Another advantage is that you don't have to waste time validating your email address when you sign up for a new website. Persona has already validated your email.
It would seem that developers receiving verified email addresses of users was deemed more important than privacy and supporting scenarios where email addresses aren't required to establish accounts :( IMO, a hard requirement should have been that email addresses are optional and Mozilla should go back to the drawing board for that reason alone. The "it technically doesn't have to be a working email address if the identity provider doesn't want it to be" argument isn't enough.
IMO, another hard requirement should have been that it involve no other parties than the user and the site where they are establishing an account and that approach should be easy for everyone. Major email providers are compromised and therefore email providers should be designed out of the process. Asking average users to setup and maintain their own identity provider is asking too much.
>The "it technically doesn't have to be a working email address if the identity provider doesn't want it to be" argument isn't enough.
Err, even though it does literally everything you want?
>Asking average users to setup and maintain their own identity provider is asking too much.
So you want a way to prove identity across multiple sites avoids needing any of a central provider, third party providers, and self-hosted providers? Good luck with that...
To your first point, who is the identity provider? In practice, it will almost always be 1) a third party, and 2) an email provider that is unlikely to deviate from the "must be a functional email address" approach. So in order to benefit from that support and stay away from third party identity providers you must run your own identity provider.
To your second point, the problem is that self-hosting an identity provider requires a domain name, Internet accessible HTTPS server, and a server certificate that is trusted per Mozzila's cert bundle. For average users to benefit they'd have to setup their own server on their own premises or turn to a third-party for [identity] hosting service. For at least baseline requirement purposes, the device the user is using should be the only device they need to carryout their account creations and logins. I haven't thought it through, but maybe there could be an @localhost format where the browser itself acts as an identity provider.
They're ubiquitous. They're an easy unique identifier. And they're free, as in cheap. Meaning they don't have to have any sort of relevant identity. I have dozens of email address and only two that are related to my real "identity".
The fact that Mozilla is a US corporation means that it will still have to give the US government the data it asks for, regardless of where the servers are hosted.
I know. That's why I wrote in the article that they will need to move "both the legal entity behind [Persona] and the servers involved" to another country :)
They don't necessarily need to move the Mozilla organization, but then they'd need to make Persona an organization in itself and move that organization.
Just a bump to support this comment. Too many people do not realize that the privacy breaching laws (public and secret, if they are even adhered to by the govt) extend to any US entity wherever the data is in the world.
This is why data on Amazon, Google or Microsoft data centers in Europe and elsewhere are still open season for US authorities. The same would apply to Mozilla.
How is this compatible with European privacy laws? Wouldn't this mean European customers would be able to sue those companies over violation of this laws?
Mozilla Persona is federated, so the BrowserId service is provided by the email provider. Mozilla provide a fallback service, in case your email provider hasn't set one up. So just pick an email provider in the country of your choice.
There's another misunderstanding in the post:
> Then NSA would have access to basically 40% of a user's
> browsing history, including URLs, the email address used,
> and time of visit.
As I understand it, Persona doesn't 'phone home' each time authentication is required. It's intended that the browser authenticates you from its cache, and only refers back to the Persona server from time to time, and doesn't tell the Persona server anything about the sites you've been visiting etc.
> Mozilla Persona is federated, so the BrowserId service is provided by the email provider. Mozilla provide a fallback service, in case your email provider hasn't set one up. So just pick an email provider in the country of your choice.
The way it currently works is that when you want to log in, a pop-up window from persona.org is opened. This would make Persona able to collect data (which I don't think they're doing, but NSA could force them to).
> As I understand it, Persona doesn't 'phone home' each time authentication is required
I'm not an expert on the inner workings of Persona, but with the way Persona currently works it actually does fetch JS from the Persona servers on each page load. Try logging in on http://personaexamples.workhere.io/ and reload the page a couple of times while checking in Firebug / Chrome Developer Tools which JS files are loaded.
You can self-host the js files wherever you like. It's not recommended that you do because Persona is still evolving. However the point is that the protocol is completely decentralized.
> You can self-host the js files wherever you like
Sure, but those files would still open the persona.org pop-up, AFAIK (until Persona has been implemented directly in the browser). So until then persona.org could theoretically gather data.
Firefox OS includes pseudo-native implementation, with some work still getting farmed out to persona.org. Ozten and Jedp are working on the beginnings of truly native support in desktop Firefox. We've held off on pushing too far in that direction while we toyed with the API and data formats, but things seem to be shaping up.
I think that the vast majority of tech companies need to seriously consider relocating outside US jurisdiction, in a similar manner to which they have already off-shored their finances.
I wonder if this will lead to tax-heaven countries, the same way we currently have tax-heaven countries or even something which would be equivalent to Switzerland's renown in finance.
The Switzerland of data if you will. You need a durable and sizable connection to the internet, plenty of energy, strong human rights and stable governance. Iceland almost fits the bill, but their governance is not stable enough.
Actually, Switzerland is actually not a bad option. They understand the necessity of privacy and are extremely stable politically. The canton principals are an excellent political stabilizer.
http://en.wikipedia.org/wiki/Cantons_of_Switzerland
Firstly, Persona doesn't have access to any such information. The only interesting information that could be extracted by owning a Persona server is that user X using IP Y wants to connect to some service - but Persona doesn't know which service. So you only get the IP.
Secondly, well, anybody can become a Persona identity provider. Do you want to host one in insert-your-favorite-country here? Well, that's quick and easy.
As stated elsewhere there's a difference between how Persona works now and how it eventually will work. Persona at this stage is stable and works very well, but it does communicate with and send private data to persona.org, which is owned by an American organization (Mozilla).
It seems to me that if the NSA is able to force Mozilla to put in such tracking into Persona (which in its current form, where using the scripts at persona.org is recommended, would be possible—later on, you'd need to modify the source and get people to update to it), you don't need to worry about it in the slightest. You've already got much larger problems: putting tracking into the browser itself would be much more effective.
If I have my datacenter in Iceland and you connect from France, I really doubt you'er going waste valuable transcontinental bandwidth with high latency and extra hops by routing through NYC first.
If the US decides your France<->Iceland traffic is that valuable, it's a small matter to reach an arrangement with friendly-or-easily-pressured governments, agencies, or companies to have your traffic routed in such a way that the US can see it, whether that's in the US or not, or to just have one of those governments, agencies, or companies to play MITM and pass everything over wholesale.
For that matter, go look up Ivy Bells. Sure, fiber can't be tapped in the same manner, but you can get around that by placing your splice/tap during other outages, especially if you arrange for those too -- "Here's <insert amount> dollars/euros/ducats/doubloons/etc. Drag this across the bottom from point x to point y on your charts on date z, then cut it loose and leave it behind and go on your way."
Now, with a straight face, can you claim that you know, for sure, that your undersea links are pristine and unmolested, either at the end points with the equivalent of the infamous at&t "nsa rooms", or somewhere in the middle? Do you know, for sure, that the people who own the fiber trunks aren't playing ball with the nsa/mi6/dgse/etc?
Unless you own the entire infrastructure, and actively monitor it to be sure of such things, it is best to assume that your communications are vulnerable at some point along the way.
If your communications are vulnerable, and your communications are of interest to governments, then there's very little you can do to avoid it being intercepted.
You may, if you trust your hardware, your encryption software, and your key management, be able to keep that intercepted message from being read for some length of time. That is different than actually intercepting the traffic, which is trivial for the organizations we're talking about, and there is very, very little someone can do to avoid the interception.
Believing that being on a different continent makes you safe is deluding yourself.
Unfortunately, you don't need to tap an authentication system to spy which services people are visiting. You can achieve the same for example by ordering a popular jQuery CDN to collect HTTP referrers, IP addresses and browsers fingerprints.
Suppose we found out that the NSA was snooping through the jQuery CDNs. It would only take five minutes for website owners to change their jQuery locations.
It's a different story with Persona. Changing your entire user system isn't done overnight.
Opposing a strong US tech industry seems like a better bet for non-americans righ row. If the tech world were distributed across nations in a more balanced way the public would have more leverage today.
I have a better suggestion, make government snooping impossible.
The reason that the NSA's behavior is so shocking is because Americans believed it was other countries, such as China, who possessed a vast surveillance state.
I disagree. The world needs a 'data safe haven', and it is much better for everyone if that haven is a strong country like the US. Distributed/Piecemeal efforts to maintain data security will be easy to kill.
I understood grandparent's post as asking for a country with lot of political power and clout (like US) to be a data safe haven.
Unfortunately I can't think of a single state that has enough power and would want to keep data safe. Russia is basically dependant on US, China is not interested in keeping it safe, etc.
What on earth are you talking about! Centralized is always easier to kill than distributed. I guess what ever startup or company you work for doesn't have to worry about scaling.
I can't believe we're having an argument here. First of all, if you are a US citizen then most of what you've been fed about "Al Quaeda" is nonsense. Second of all, you don't appear to understand what distributed means. I wouldn't be depending on Ecuador/Cuba/China in isolation but rather everywhere. Before you waste anymore time you should probably read some articles on wikipedia.
Thanks for the snarky comment, but the fact that there are countries with overreaching intelligence agencies doesn't mean that every country is like that.
In most countries a warrant will get you access to private data - but what the NSA is doing here goes far beyond that.
rasterizer is correct. I think people are misguided in believing that there are viable alternatives. The reason this is such a big deal is that the US (on paper anyway) is built on a tenet of civil liberties which is/was unique.
Obviously, reality is entirely different but my point is that, in other countries/localities, these so-called fundamental freedoms either do not exist or are diminished. In most of the western world, governments have significant leeway into the private lives of their citizens in the areas covered by PRISM.
I think we can be reasonably certain that programs like this already exist, or are identical, in almost any country with the technical capacity to provide similar services to the US.
> The reason this is such a big deal is that the US (on paper anyway) is built on a tenet of civil liberties which is/was unique.
The US didn't invent most of those liberties. Your assumption that those liberties are not part of the law in other countries is wildly incorrect.
The assumption that most other western countries have as extensive intelligence gathering as the US needs proof. I'm aware that Sweden and the UK are quite big on data gathering, but there are hundreds of other countries in the world.
My point is that the number of countries with the capacity/capability to provide the level of service that the US provides is quite small. Of those, I imagine most if not all of them have similar data gathering practices that extends to their own citizenry, so non-citizens are not even an issue.
Let's look at the list of countries (order is random):
1. EU (probably only France, UK, Germany, possibly the Netherlands)
2. Israel
3. Canada, solely by proximity to the US
4. Japan
5. China
6. Brazil
7. Russia
8. Australia, that's a big maybe though
9. India
10. Iran
11. South Korea
12. Singapore
13. South Africa
14. Scandinavia (Finland, Denmark, Sweden)
These are the countries that likely have the technological advancement required to even offer cloud-based services of the scale and capability offered by US based organizations.
This is also assuming that significant parts of their overall connectivity does not route through US controlled territories or demarcation (which likely rules out any south-east asian country like South Korea, Singapore, also Canada and Australia).
Of those remaining on the list, very few of them have even have civil liberties legislation codified. A rough guess might be:
1. EU
2. Israel
3. Japan
4. Brazil
5. Scandinavia
6. South Africa?
Israel we could likely rule-out. Not exactly the most trustworthy government, and the close ties with the US likely means that they either participate in or benefit directly from PRISM.
As a collective whole, the scandinavian countries likely could offer the level of cloud-based services provided but not individually.
All the Scandinavian countries you list are actually EU members — a better term for your first group would be Western Europe.
But, really, I'm not sure how much confidence you could have in any of those countries: The UK's GCHQ was very heavily involved in Prism themselves, much to our national shame, for instance.
You can't, but rumors can give you a hint. There were rumors for years and years about extensive NSA intelligence gathering (see e.g. this: http://projects.washingtonpost.com/top-secret-america/articl...). I haven't heard the same amount of massive rumors regarding any of the EU intelligence agencies.
Your linking to the laws documenting legal frameworks for eavesdropping implies we can know about them with some confidence. It would be prudent to pick countries where
we can with the most confidence guess that there isn't a PRISM like system.
A reasonable criteria could be: most reputable countries with law-abiding & transparent governments and best privacy laws. A list to start the research might include Swizerland, Iceland, Finland, Norway...
That's the same conclusion I've come to. These headlines lately have given me reason to dig in and do lots of research and it seems that 9/11 was the catalyst for a majority of this. Or at least 9/11 was the convenient excuse for doing something that was going to happen anyways. [EDIT] Removed my stupid remark that was probably caused by me waking up grouchy. Sorry.
Why? Nothing about it is remotely centralized and eventually it won't require ANY sort of server-side resources. The entire point is that you trust who you want to be your IdP
edit: never mind, reading the thread it's clear that few here have any idea what Persona is or how it works.
Nope, that's the Quickstart guide. It's possible to do it without using Mozilla's servers. Someone just a couple weeks ago posted a writeup on how they did it themselves.
I would assume that most website owners will go with the integration method Mozilla currently recommends, and that method is centralized.
For instance, the quickstart guide mentions https://login.persona.org/include.js: "You must include this on every page which uses navigator.id functions. Because Persona is still in development, you should not self-host the include.js file."
Okay, but for anyone like us, we can self-host and just make sure it stays mirrored and up to date. The only other bit is doing the verification on your own server instead of trusting them. That's as big a deal as anything.
We want to do better: we want to get rid of the Persona servers altogether. As tlocke said, Persona is designed to let you choose who you trust, and anything that requires centralization is considered a bug.
There are 4 points of temporary centralization, each of which can be replaced independently:
1. The JS polyfill. Until we stabilize the API, we ask that you link directly to login.persona.org/include.js
2. The persona.org interface. Once browsers have native support for Persona, that will supersede both the polyfill and the persona.org interface. This is all based on what Mike Hanson called Locally Isolated Feature Domains (LIFD): http://www.open-mike.org/entry/lifding-the-web
3. The Fallback IdP. If your email provider doesn't support Persona, Mozilla will certify your identity after you click a confirmation link sent to your email address. If your email provider does support Persona, it automatically supplants Mozilla's fallback.
4. The Hosted Verifier. Until we stabilize the data formats, we recommend that sites POST identity assertions to verifier.login.persona.org/verify for verification. The assertions necessarily contain your email address and the site you're logging into. We want this to go away soon, and François Marier has suggested a pretty slick way to get us there. Until then, we've got a strong privacy policy in place and we limit the data we log. I believe Ben Adida is going to comment more on that shortly.
If you're interested in getting involved, drop me a line and I'd be happy to help you get started.