On 9 August 2013 14:08, Mike Hearn <mike@plan99.net> wrote:
Bitcoin sought to reduce dependence on trusted third parties, where as, persona is increasing the reach of trusted third parties.  The keys and passwords are stored on mozilla's servers, sometimes on your email providers.  Persona, is however, a progression and will hopefully improve its security and decentralization as it goes along.

When Persona is supported by all the key players in a transaction Mozilla doesn't get anything, do they? You can easily run your own IDP on a personal server if you're the kind of person who likes to do that, then run Firefox so you have a native implementation and the Mozilla servers aren't involved. The keys never leave your computers.

You'd need to run your own email server and/or change email address, which is not in the reach of the average user, and maybe not even of some businesses.
 

Whilst X.509 certs can indeed be issued for any arbitrary string, you still need a CA that will do it for you, and that's typically not so trivial. CAs aren't meant for widespread end user adoption, really, whereas Persona is.

You can self sign X.509 certificates quite easily (e.g. one click via <KEYGEN>), then rely on a decentralized web of trust to remove browser warnings.  A few people are working on this.
 

I don't think Persona is any more or less centralised than other PKIs, really, just easier to use. Ultimately the string you're verifying is a user@host pair, so the host is centralised via DNS and to verify the assertions it vends, you must use SSL to connect to it, so under the hood the regular SSL PKI is still there.



It is easier to use, that's a great plus.  But convenience is often a trade off with security. 

I dont user user@host, I use my home page because it's easy to dereference and get a public key.  Email is hard to dereference.

Yes, there is a reliance on DNS, which Tim calls the 'Achilles heel' of the web, but it's held up quite well so far (fortunately for us). 

Mozilla also have a master key to most email accounts, so if anyone got access to that they could impersonate the vast majority of users that have not opted in.  I would not use persona for financial stuff, but if I made a casual app with non sensitive information it would be one of the top choices, imho