What's up with Persona's Future?

[Dan Callahan]

Hey y'all,

There's been a lot of confusion and concern over Persona's status. I'll
get a blog post out on the Identity blog by this time next week, but
until then, here are a few brief thoughts off the top of my head.

- Persona is currently in maintenance mode. Critical bugs, service
disruptions, and security fixes will still pre-empt other work until
resolved.

- Mozilla's new NOC (the "MOC") is taking over tier 1 incident response
for Persona. We will have human-backed 24/7 monitoring of Persona, which
should *improve* reliability and incident response times.

- There are no plans to decommission Persona. If it works for you,
please use it. We will support you.

- As of this month, all of Persona's paid engineers have been
reallocated to other projects within Mozilla's Cloud Services group.
However, many of us continue to work on Persona in our free time.

- Further feature development will need to be driven by community
contributions.

So if Persona works for you now, awesome! If you're waiting for major
new features, you may be waiting indefinitely.

Why are we pausing paid feature development on Persona?

- Persona didn't receive as much adoption as we were hoping for by this
point. Much of the blame here lies in our own delay at shipping stable
APIs, data formats, and self-hostable polyfills.

- To be successful, Firefox and FirefoxOS need a suite of integrated
services (Sync, Marketplace, Find My Phone, etc) and a common account
system (Firefox Accounts). These initiatives are of higher priority and
greater time sensitivity than Persona.

- Firefox Accounts are necessary because Persona on its own is not
sufficient or necessarily a good fit for Sync or Marketplace's use
cases. For instance, Sync *needs* a human-knowable password for entropy,
while Persona doesn't necessarily use passwords at all.

Again, this is hastily written, but I wanted to make sure folks on list
were aware of where Persona was after the confusion of this past
weekend. Look for the blog post next week for something a little better
fleshed-out.

In the meantime, I'm happy to answer questions.

Best,
-Callahad

PS: Persona is open source! We'd love to see you on GitHub. :)

[Andrew Ducker]

Does this mean that Persona isn't getting built into FF? And that the Data formats/API aren't going to be stabilised/published so that it can be properly decentralised?

Andrew

[Dan Callahan]

On 2/19/14, 16:56, Andrew Ducker wrote:
> Does this mean that Persona isn't getting built into FF?

It means that Persona is less likely to get built into Firefox.

On the upside, Firefox Accounts uses many of the same data formats,
which future patches or add-ons could re-use to support Persona.

> And that the Data formats/API aren't going to be stabilised/published
so that it can be properly decentralised?

We've got a draft sketching out the changes necessary to bring Persona
into line with IETF JOSE drafts and a simplified RP API here:

https://github.com/mozilla/id-specs/tree/greenfield/browserid/

It is still my intention to get these changes into production as soon as
possible. It's just that "as soon as possible" is a little further off,
now that I'm hacking on this on nights and weekends. :)

Part of the work is already complete:

- The Firefox Accounts assertion verifier recognizes both generations of
Persona data formats.

- The revised RP API is effectively done, and just needs another Persona
release to go live.

Best,
-Callahad

[Jed Parsons]

Hi, Andrew,

> Von: "Andrew Ducker" <and...@ducker.org.uk>
> Gesendet: Mittwoch, 19. Februar 2014 14:56:13
>
> Does this mean that Persona isn't getting built into FF?

Well, this decision certainly isn't helping that happen any faster.

The good news for inclusion in Firefox is that work on Firefox Accounts (which is BrowserID-based) has helped land a lot of the necessary core code.

Last year, Austin King and Ryan Feeley made great strides in putting us in a position close to landing. A ton of work that Matthew Noorenberghe put into native Persona is waiting to land.

The biggest challenges for getting Persona in Firefox at this point, in my opinion, center around UX questions (particularly, I think, regarding primary delegation). Different folks have differing views about how this should appear.

I think this could be done, at the very least in an experimental (preffed-off) kind of way, without a tremendous amount of work.

So ... if anybody has some interest in working on this in their spare time, please let me know!
j

> And that the Data
> formats/API aren't going to be stabilised/published so that it can be
> properly decentralised?
>
> Andrew

> _______________________________________________
> dev-identity mailing list
> dev-id...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-identity
>

[Dirkjan Ochtman]

On Thu, Feb 20, 2014 at 6:42 PM, Jed Parsons <jpar...@mozilla.com> wrote:
> So ... if anybody has some interest in working on this in their spare time, please let me know!

I'm definitely interested. Is there a list of concrete things to do?
Bugs to follow/subscribe to?

Cheers,

Dirkjan

[Dan Callahan]

On 2/19/14, 15:03, Dan Callahan wrote:
> I'll get a blog post out on the Identity blog by this time next week

Just a heads up: I'm delaying the blog post until next week at the
request of Mozilla's PR folks, who'd like to be available to respond to
inquiries from the press. They were busy with Mobile World Congress this
week.

-Callahad

[Leen Besselink]

That was my thought too, mine was a bit more high level which is:
what does the current (new ?) roadmap look like ?

> Cheers,
>
> Dirkjan

[bre...@gmail.com]

I presume the work toward landing BrowserID in Firefox would require knowledge of C++?

[Sean McArthur]

I haven't touched any of this specific code, so I could be full of it.
However, most the C++ code of Firefox involves platform-specific stuff.
Most of the UI and it's features are written in JavaScript and XUL.

http://hg.mozilla.org/mozilla-central/file/d8b2e3738785/dom/identity

On Sun, Apr 6, 2014 at 4:24 PM, <bre...@gmail.com> wrote:

> I presume the work toward landing BrowserID in Firefox would require
> knowledge of C++?

[Jed Parsons]

This is correct; C++ not necessary. Landing Persona in Firefox would be a matter of programming in JS and XUL. The hardest nut to crack, in my opinion, is the UX, in particular the presentation of the flow for authentication with primaries.

I would love to hack on this with anyone. Various people in this group and the Firefox team have worked on the problem, but of course we haven't yet figured it all out.

j

----- Ursprüngliche Mail -----
> Von: "Sean McArthur" <smca...@mozilla.com>
> An: bre...@gmail.com
> CC: dev-id...@lists.mozilla.org
> Gesendet: Montag, 7. April 2014 10:07:25
> Betreff: Re: What's up with Persona's Future?

>
> I haven't touched any of this specific code, so I could be full of it.
> However, most the C++ code of Firefox involves platform-specific stuff.
> Most of the UI and it's features are written in JavaScript and XUL.
>
> http://hg.mozilla.org/mozilla-central/file/d8b2e3738785/dom/identity
>
>
> On Sun, Apr 6, 2014 at 4:24 PM, <bre...@gmail.com> wrote:
>

> > I presume the work toward landing BrowserID in Firefox would require
> > knowledge of C++?

[Dirkjan Ochtman]

On Mon, Apr 7, 2014 at 7:23 PM, Jed Parsons <jpar...@mozilla.com> wrote:
> I would love to hack on this with anyone. Various people in this group and the Firefox team have worked on the problem, but of course we haven't yet figured it all out.

Is there like an outline somewhere of what the next steps would be?

Do we think any Firefox peers would still be willing to invest in
reviewing etc this?

Cheers,

Dirkjan

[Leen Besselink]

I don't see why not.

Because this is also still making progress and is also being committed and marked as fixed (slowly), which was built around Persona:

https://bugzilla.mozilla.org/showdependencygraph.cgi?id=901261

https://air.mozilla.org/intern-presentation-seys/

http://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-09

But I could be wrong, as I'm not involved, just watching.

> Cheers,
>
> Dirkjan

[Leen Besselink]

I could wrong but I thought the set with bugs is about identity for WebRTC.

Martin Thomson wrote:
> On 2014-04-07, at 23:58, Leen Besselink <le...@consolejunkie.net> wrote:>> Because this is also still making progress and is also being committed and marked as fixed (slowly), which was built around Persona:
>>
>> https://bugzilla.mozilla.org/showdependencygraph.cgi?id=901261> I have to correct this. WebRTC does not have a direct dependency on Persona. That said, some of the infrastructure has been quite useful.

[Leen Besselink]

I'm aware of that, just saying there is identity work going on in the browser chrome in general. For which Persona, I would think, is a likely candidate to add on top of that. Also if they finish what they have done, then it would already include a UI.

Now I don't know what that would look like because I heared some talk in the last IETF WG meeting audio recording that the hidden iframe might not make it.

Martin Thomson wrote:
> > On 2014-04-08, at 10:08, Leen Besselink <le...@consolejunkie.net> wrote:>> I could wrong but I thought the set with bugs is about identity for WebRTC. > That is correct. However, WebRTC identity isn’t bound to any specific identity provider.

[Martin Thomson]

[Martin Thomson]

[Martin Thomson]

On 2014-04-08, at 10:31, Leen Besselink <le...@consolejunkie.net> wrote:

> Now I don't know what that would look like because I heared some talk in the last IETF WG meeting audio recording that the hidden iframe might not make it.

The hidden iframe has issues, but I’ve a proposal that addresses the worst of them. We’re still using it.

[Matjaz Horvat]

Slightly offtopic, but still related to the original post.

BrowserID is still the most popular project among localizers on Mozilla
Verbatim, which we use for localizing most of the web stuff at Mozilla:
https://localize.mozilla.org/projects/

And the 3rd is BrowserID BigTent (also includes Gmail bridge).

-Matjaž

[Anders Rundgren]

I think the core problem is that Mozilla doesn't have a strong authentication solution since this is what the service providers want to see before they take on any new scheme.

Google's U2F seems to attract a lot of attention these days. Microsoft, PayPal, ARM (!) etc. have joined the FIDO Alliance where the spec is hosted and developed.

[mim...@gmail.com]

> I think the core problem is that Mozilla doesn't have a strong authentication solution since this is what the service providers want to see before they take on any new scheme.
>
>
>
> Google's U2F seems to attract a lot of attention these days. Microsoft, PayPal, ARM (!) etc. have joined the FIDO Alliance where the spec is hosted and developed.

Well I guess you can't compare U2F to Persona, U2F is a hardware based Auth system, Persona is a decentralized auth system, so I think it could be possible to use U2F USB Dongles to auth with Persona (with your google account) in future! (of-course if Mozilla doesn't drop it sadly!!)

[ander...@gmail.com]

Unfortunately Mozilla seems to be focusing on UICC which won't fly, devices have built-in security hardware like TrustZone these days:
https://bugzilla.mozilla.org/show_bug.cgi?id=879861