Jeff, Thanks for the thoughtful reply. I take your point about putting questions/bugs to the right place. Couple of questions if you have time.
You say that OAuth isn't about identity. But this is a pig with lipstick. Google and Facebook _are_ using it for identity. So are you on Voost. My question about 2-factor was about the UI. Is this expected to happen in the popup, or will users get directed to a Google URL? With OAuth the UI is in Google's control. I don't understand what happens with Persona. The weird address is that _an_ address not belonging to the site you're logging in to is shown anyway. Perhaps 1 user in 100 will look and say "**** I'm being spoofed, that's not the correct Persona URL. Another confusing (potentially) issue is that with Mozilla as the IdP I can use an arbitrary password with a GMail address (which I am). Probably most people give the "real" password. I don't understand your comment about Persona being particular about a shared machine. My point was that its not particular from what I've seen. Do you mean its a bug? Or that sharing a browser from the same (host pc) account means its my fault for being dumb? What I should have said about hack attempts is another UI issue. What does the IdP do if it wants to tell the user in the browser that they've had too many login attempts for example? Also will Mozilla alert people to suspicious activity on their account by Email when they act as IdP? As I said at the beginning I like Persona. I think I'd be happy with it for a non-particularly-secure app. Certainly happier than Google OAuth which seems lax with cookies ( I could have got it wrong but it seems not to cancel cookies when you revoke a token). Perhaps I should amend my initial comment to "I haven't been able to determine to my satisfaction whether Persona is ready for prime time". As a matter of interest what split do you get on Voost between Facebook and Persona logins? I'd guess perhaps 85/15? On Wednesday, October 17, 2012 4:49:46 PM UTC+1, Jeff Schnitzer wrote: > > On Wed, Oct 17, 2012 at 1:32 AM, Tim Niblett > <[email protected]<javascript:>> > wrote: > > Jon, > > > > We're talking about identity, which is pretty catastrophic if its wrong, > so > > I'm operating with an abundanceof caution. > > > > I love the idea of Persona, but don't know much about it, so please fill > me > > in if you have answers to my questions/concerns. > > I'm the other half of Voost - answers inline: > > > Persona has only just gone into beta, and is under active development. > I > > know Google has stretched our ideas of using Beta software in > production, > > but still... > > There are really two "halves" of Persona - the user-facing login > system, and the primary IdP system. The primary IdP system just went > live, but the user-facing login system has been live with Mozilla's > secondary (email verification) IdP for over a year. We've been using > it most of that time. It's solid. > > > Persona is distributed, but there aren't any (major) IdPs signed up yet. > > What happens if no-one signs up? Do I have to worry about the service > just > > stopping in a couple of years? > > Even if no primary IdPs sign up, the secondary (email verification) > backup IdP is a better experience than almost every username/password > system in existence. So even the worst case scenario is still pretty > good. However, Mozilla is working on a proxy IdP called "BigTent" > which will leverage the OpenID mechanisms of Gmail, Yahoo, and > Hotmail. So those users will still get a seamless experience, even if > the three never officially become primary IdPs for Persona. That > covers something like 90% of all users. > > What happens if Persona goes away? Persona logins are keyed by email > address. Removing Persona from your system is fairly trivial - add a > conventional email/pw/forgot login form, assign random passwords to > all your users, and give them a note letting them know of the change. > > > I use 2-factor authentication on my Google account. How will this work? > > If Google adds primary IdP support, they control the login process. > Even if they don't, BigTent will run the user through the standard > openid Google auth process. Currently (with the backup IdP) it > requires an email roundtrip. So 2-factor auth is accounted for. > > > In my tests Persona can be pretty slow. What are Mozilla doing about > > provisioning, load spikes, etc? > > I suspect the slow part ("We're sorry, this is taking a loooong time") > is the public key cryptography being run in javascript on the client. > They're balancing the need for sufficiently strong encryption with the > need for something that runs fast enough in javascript on crappy > hardware. After the first login to a new site I don't find this to be > an issue. Also: The protocol is designed to be implemented natively > in the browser, so the javascript shim is just a bootstrapping tool. > When browser support becomes ubiquitous (Firefox support is coming > soon) speed will not be an issue. > > FWIW, there is much talk of performance on the identity-dev mailing > list. If you have questions, it's a good place to ask. I know they > have significant server capacity and have put a lot of thought into > reliability and operational processes. > > > I've had some issues with the popup being suppressed sometimes on iOS. > > Don't know why, but its a no-no if users can't log in. Also, its easy to > > spoof the popup, as it has a weird address in the address bar anyway. > > If you see issues on iOS, please report them as bugs. I have not > heard reports from iOS users about not being able to log in, and we > have many such users. > > I also don't know what you mean about the weird address. The popup > address in the URL bar is https://login.persona.org/sign_in. > > > During my (very limited) testing I used 2 Google Accounts. Could easily > be > > 2 users of the one machine. When a session expired I'd log in to > account A > > with a password, and after logging off and in again account B was > available > > _without_ a password which I didn't like. Not that this is any worse > than > > other providers, we've had nasty incidents with Google login cookies. > > Persona is fairly particular about "Is this a shared machine?" > Inherent in the distributed nature is the fact that the primary IdP is > not consulted every time a user logs in; this would leak information > to the primary IdP. Right now when you use Facebook auth on a site, > Facebook knows that you logged into that site. This is a major > privacy issue that Persona addresses. > > > If you use Facebook as identity provider (or Google to a lesser extent) > you > > get told about failed login attempts and other stats to help protect > your > > account. Does/will Persona off such facilities? Will the IdPs be able > to? > > I believe you are confusing the IdP with the account owner. Facebook > notifies the _account owner_ about failed logins, but not the relying > party. There's no reason why primary IdPs could not continue to > notify account owners of hack attempts - although you won't know what > specific site is being attacked, because primary IdPs don't get that > information (an information leak). But it's pretty irrelevant - if > your email password is being attacked, the solution is to make sure > your email password is strong. > > Jeff > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/37Hj05vHNB0J. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
