On 9 August 2013 14:08, Mike Hearn wrote: > Bitcoin sought to reduce dependence on trusted third parties, where as, >> persona is increasing the reach of trusted third parties. The keys and >> passwords are stored on mozilla's servers, sometimes on your email >> providers. Persona, is however, a progression and will hopefully improve >> its security and decentralization as it goes along. >> > > When Persona is supported by all the key players in a transaction Mozilla > doesn't get anything, do they? You can easily run your own IDP on a > personal server if you're the kind of person who likes to do that, then run > Firefox so you have a native implementation and the Mozilla servers aren't > involved. The keys never leave your computers. > You'd need to run your own email server and/or change email address, which is not in the reach of the average user, and maybe not even of some businesses. > > Whilst X.509 certs can indeed be issued for any arbitrary string, you > still need a CA that will do it for you, and that's typically not so > trivial. CAs aren't meant for widespread end user adoption, really, whereas > Persona is. > You can self sign X.509 certificates quite easily (e.g. one click via ), then rely on a decentralized web of trust to remove browser warnings. A few people are working on this. > > I don't think Persona is any more or less centralised than other PKIs, > really, just easier to use. Ultimately the string you're verifying is a > user@host pair, so the host is centralised via DNS and to verify the > assertions it vends, you must use SSL to connect to it, so under the hood > the regular SSL PKI is still there. > > > It is easier to use, that's a great plus. But convenience is often a trade off with security. I dont user user@host, I use my home page because it's easy to dereference and get a public key. Email is hard to dereference. Yes, there is a reliance on DNS, which Tim calls the 'Achilles heel' of the web, but it's held up quite well so far (fortunately for us). Mozilla also have a master key to most email accounts, so if anyone got access to that they could impersonate the vast majority of users that have not opted in. I would not use persona for financial stuff, but if I made a casual app with non sensitive information it would be one of the top choices, imho