Summary of Persona presentation at DevCon5

[Jedediah Parsons]

Hi, all,

I talked about Persona at DevCon5 in New York last week. Many of the attendants are mobile app developers who still rely on native or hybrid frameworks, so I tried especially to show Persona on mobile/native.

Few people in the audience had heard of Persona. I think there were about 60 or 70 people in attendance.

My slides can be converted to an html presentation with deck.js using m2d: https://github.com/jedp/devcon5-2013

I demonstrated and discussed:
- persona on desktop
- persona on mobile (incl firefoxos)
- sign-in flow on sloblog.io
- problems with passwords today
- the persona sign-in flow
- why we use email addresses
- benefits for users
- benefits for developers
- complete client code for an RP
- complete server code for an RP
- security considerations
- customization and branding for RPs
- live-coding demo of adding persona to an app
- the protocol enacted by members of the audience
(last time i did this i used stuffed animals)
(non-plush, live actors are better because they ask more questions)
- IdP examples
- The IdP API and how to become and IDP
- LDAP integration
- Native embedding recipe

Questions from the audience included:

- Details of the protocol - how can the RP really trust this?
- What if I log in to a site using different emails? How do they know they're all "me"?
- How does this compare to signing in with Facebook?
- How could I use this as a simple sign-in to enable comments on my site?
- What happens if my email account is compromised?

Anecdotally, I can confirm what others have been saying - that "Sign in using email" is better than "Sign in with Persona".

People responded very positively to the idea that they don't have to store passwords.

Some RPs were quite positive about *not* having to use twitter or facebook auth. They *don't* want access to people's social graph and histories, which they view as a liability akin to storing passwords.

When I demonstrated writing an IdP, I showed shane's sendmypin.org, which SMSs a PIN, and my gno.mn, which uses the yubikey. Interestingly, the black hats in the audience who profess a strong dislike of sign-in-everywhere systems were enthusiastic that they could use a yubikey and a phone pin as the basis for authentication. So the black hats were won over. Finally, some users who care about security! ;)

Unrelated, the Q&A questions at the close of the conference turned to debugging node.js apps and tracking down memory leaks. I pointed out node-inspector (https://github.com/node-inspector/node-inspector) and node-memwatch (https://github.com/lloyd/node-memwatch), both of which were already familiar to and used by some of the other panelists and members of the audience. w00t :)

Cheers
j

[James Bonacci]

Jed,

Awesome. Thanks for the summary.

James

_______________________________________________
dev-identity mailing list
dev-id...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-identity

[Jedediah Parsons]

Thanks, James.

It had been perhaps nine months since I'd spoken about Persona in a public forum. This is far too long.

I believe it's crucial for all of us, as developers, to engage and understand where we stand with the public.

I encourage everyone on this list who cares about Persona to step up at local conferences, meet-ups, etc., to help people understand what it is and what it can do for them, and help us understand better where we need to do more.

Cheers
j

[Austin King]

On 7/29/13 11:13 AM, Jedediah Parsons wrote:
> Hi, all,
>
> I talked about Persona at DevCon5 in New York last week. Many of the attendants are mobile app developers who still rely on native or hybrid frameworks, so I tried especially to show Persona on mobile/native.
>
> Few people in the audience had heard of Persona. I think there were about 60 or 70 people in attendance.
>
> My slides can be converted to an html presentation with deck.js using m2d: https://github.com/jedp/devcon5-2013

Thanks for the links and notes!

-- Austin

[Francois Marier]

On 30/07/13 06:13, Jedediah Parsons wrote:
> I demonstrated and discussed:
> - persona on desktop
> - persona on mobile (incl firefoxos)
> - sign-in flow on sloblog.io
> - problems with passwords today
> - the persona sign-in flow
> - why we use email addresses
> - benefits for users
> - benefits for developers
> - complete client code for an RP
> - complete server code for an RP
> - security considerations
> - customization and branding for RPs
> - live-coding demo of adding persona to an app
> - the protocol enacted by members of the audience
> (last time i did this i used stuffed animals)
> (non-plush, live actors are better because they ask more questions)
> - IdP examples
> - The IdP API and how to become and IDP
> - LDAP integration
> - Native embedding recipe

That's a really thorough talk, great!

> Questions from the audience included:
>
> - Details of the protocol - how can the RP really trust this?

Interesting. What was the gist of your answer?

> Some RPs were quite positive about *not* having to use twitter or facebook auth. They *don't* want access to people's social graph and histories, which they view as a liability akin to storing passwords.

Wow, that's really good to know! Are we entering a post-PRISM world? ;)

BTW, I've added your talk to
https://wiki.mozilla.org/Identity/Spread_Persona#2013

Francois

[Leen Besselink]

On Tue, Jul 30, 2013 at 08:36:19AM +1200, Francois Marier wrote:
> On 30/07/13 06:13, Jedediah Parsons wrote:
> > I demonstrated and discussed:
> > - persona on desktop
> > - persona on mobile (incl firefoxos)
> > - sign-in flow on sloblog.io
> > - problems with passwords today
> > - the persona sign-in flow
> > - why we use email addresses
> > - benefits for users
> > - benefits for developers
> > - complete client code for an RP
> > - complete server code for an RP
> > - security considerations
> > - customization and branding for RPs
> > - live-coding demo of adding persona to an app
> > - the protocol enacted by members of the audience
> > (last time i did this i used stuffed animals)
> > (non-plush, live actors are better because they ask more questions)
> > - IdP examples
> > - The IdP API and how to become and IDP
> > - LDAP integration
> > - Native embedding recipe
>
> That's a really thorough talk, great!
>

I also have a question:

How much time did it take to give this talk ? As it touched on so many subjects.

> > Questions from the audience included:
> >
> > - Details of the protocol - how can the RP really trust this?
>
> Interesting. What was the gist of your answer?
>
> > Some RPs were quite positive about *not* having to use twitter or facebook auth. They *don't* want access to people's social graph and histories, which they view as a liability akin to storing passwords.
>
> Wow, that's really good to know! Are we entering a post-PRISM world? ;)
>
> BTW, I've added your talk to
> https://wiki.mozilla.org/Identity/Spread_Persona#2013
>
> Francois

[Jedediah Parsons]

Hi, François,

> > - Details of the protocol - how can the RP really trust this?
>
> Interesting. What was the gist of your answer?

In this case, it was just a straightforward protocol question about the chain of trust in the backed assertion.

The questioner appeared to be comfortable once he understood how the IdP's public key was acquired by the RP, and how the certificate and assertion were verified.

> > Some RPs were quite positive about *not* having to use twitter or facebook
> > auth. They *don't* want access to people's social graph and histories,
> > which they view as a liability akin to storing passwords.
>
> Wow, that's really good to know! Are we entering a post-PRISM world? ;)

I didn't feel like this was motivated by PRISM, though on some psychological level I suppose there may indeed be a link. On the surface, these people said they were uncomfortable with the amount of power, and so potential for disaster, that they felt social sign-in systems afford. It may be that they (they being a couple of questioners and three or four others vigorously nodding in agreement) were articulating the what they thought their users felt - that it's creepy to be asked to share that much with a site that ostensibly has no need for it. This group said that if they don't need the user's social graph for anything, they don't want anything to do with it. I wasn't expecting to see RPs taking this perspective. It was great to hear this coming from the audience and not the podium!

> BTW, I've added your talk to
> https://wiki.mozilla.org/Identity/Spread_Persona#2013

Thank you!

Cheers
j

----- Original Message -----
> From: "Francois Marier" <fran...@mozilla.com>
> To: dev-id...@lists.mozilla.org
> Sent: Monday, July 29, 2013 1:36:19 PM
> Subject: Re: Summary of Persona presentation at DevCon5
>

[Jedediah Parsons]

Hi, Leen,

> How much time did it take to give this talk ? As it touched on so many
> subjects.

I just about squeezed it into an hour. I ran 36 seconds over.

I had prepared the live coding bits in advance with git branches so I could git-push them to an awsbox instance and let people try out the changes right away. To try to build on people's interests, I did my demo on a little chat app I wrote the night before using tools and techniques that had been discussed the previous day by other speakers. I hoped that this would provide some continuity and also interest in digging into the code. (Ok, so it was only semi-live coding; good enough :)

Firefox's adaptive design mode made it easy to show desktop and mobile from the same screen. That probably saved a few minutes.

In order to make room to talk about IdPs and give an overview of Native, I decided to confine the story for RPs and users primarily to ease of use and integration, talking less about the privacy benefits than I could have. I did emphasize strongly that RPs benefit from not having the liability of passwords.

Enacting the protocol with live members of the audience took *less* time, surprisingly, than my previous re-enactment, which was done with three stuffed animals. I'm not exactly sure why this was. I might attribute it to the fact that the actors would immediately register comprehension or confusion, giving me direct cues as to how quickly I could move; whereas the small stuffed animals I had chosen previously all looked slightly irritable, which may have made me inject a little time-consuming nervous banter in an effort to win them over.

I think enacting the protocol is a great way to drive home a lot of the benefits to RPs, and the interesting possibilities for IdPs.

If I were to do it again, I would leave out the native embedding recipe (short though it had to be) and spend more time on mobile from an RP's point of view.

Cheers
j

----- Original Message -----
> From: "Leen Besselink" <le...@consolejunkie.net>
> To: dev-id...@lists.mozilla.org
> Sent: Monday, July 29, 2013 3:21:55 PM
> Subject: Re: Summary of Persona presentation at DevCon5
>

[Zachary Carter]

This sounds awesome, Jed. Do you know if/when there will be a video of the presentation?

-z

[Jedediah Parsons]

Sadly, I don't believe a video was produced :(

Maybe we should all travel with little cameras and tripods so we can record and share these events. And I like what François does, taking his little voice-recorder everywhere. That's an awesome way to augment a slide deck. Or, under more controlled circumstances, it might be worth putting a series of podcasts together?

----- Original Message -----
> From: "Zachary Carter" <zca...@mozilla.com>
> To: "Jedediah Parsons" <jpar...@mozilla.com>

[Leen Besselink]

On Mon, Jul 29, 2013 at 05:02:06PM -0700, Jedediah Parsons wrote:
>
> Hi, François,
>
> > > - Details of the protocol - how can the RP really trust this?
> >
> > Interesting. What was the gist of your answer?
>
> In this case, it was just a straightforward protocol question about the chain of trust in the backed assertion.
>
> The questioner appeared to be comfortable once he understood how the IdP's public key was acquired by the RP, and how the certificate and assertion were verified.
>
> > > Some RPs were quite positive about *not* having to use twitter or facebook
> > > auth. They *don't* want access to people's social graph and histories,
> > > which they view as a liability akin to storing passwords.
> >
> > Wow, that's really good to know! Are we entering a post-PRISM world? ;)
>
> I didn't feel like this was motivated by PRISM, though on some psychological level I suppose there may indeed be a link. On the surface, these people said they were uncomfortable with the amount of power, and so potential for disaster, that they felt social sign-in systems afford. It may be that they (they being a couple of questioners and three or four others vigorously nodding in agreement) were articulating the what they thought their users felt - that it's creepy to be asked to share that much with a site that ostensibly has no need for it. This group said that if they don't need the user's social graph for anything, they don't want anything to do with it. I wasn't expecting to see RPs taking this perspective. It was great to hear this coming from the audience and not the podium!
>

As a site owner I might be able to answer this (Facebook is an example, other sites might apply):
1. site owners/developers are users too, they don't want to give Facebook more power and don't want to give random strangers access to any Facebook data
2. a site has to convince users to join/participate, a Facebook login might be quick (because they might already be logged in), but also a barrier to do so for many users (see 1. second part)
3. maybe even 3, if Facebook messes up, Facebook can still become the next MySpace, right ? Well, in theory. Relying on a protocol is much better than a site.

It's not a PRISM-thing, it's always been this way.

Personally, one of my favorite advantages of this protocol is the possibility of a Firefox desktop native interface. :-) And eventually, I hope, every browser.

https://wiki.mozilla.org/images/4/4c/IdentityInTheBrowser.png

I don't think I've seen it mentioned in many of your presentations.

This makes it easier for users to trust the mechanism, because it is safe, it relieves barriers for signup at sites and last but not least, it's quick, easy, painless.

On mobile that last bit is also important, a quick method does not really exist yet.

[Leen Besselink]

On Tue, Jul 30, 2013 at 09:43:31AM +0200, Leen Besselink wrote:
> On Mon, Jul 29, 2013 at 05:02:06PM -0700, Jedediah Parsons wrote:
> >
> > Hi, François,
> >
> > > > - Details of the protocol - how can the RP really trust this?
> > >
> > > Interesting. What was the gist of your answer?
> >
> > In this case, it was just a straightforward protocol question about the chain of trust in the backed assertion.
> >
> > The questioner appeared to be comfortable once he understood how the IdP's public key was acquired by the RP, and how the certificate and assertion were verified.
> >
> > > > Some RPs were quite positive about *not* having to use twitter or facebook
> > > > auth. They *don't* want access to people's social graph and histories,
> > > > which they view as a liability akin to storing passwords.
> > >
> > > Wow, that's really good to know! Are we entering a post-PRISM world? ;)
> >
> > I didn't feel like this was motivated by PRISM, though on some psychological level I suppose there may indeed be a link. On the surface, these people said they were uncomfortable with the amount of power, and so potential for disaster, that they felt social sign-in systems afford. It may be that they (they being a couple of questioners and three or four others vigorously nodding in agreement) were articulating the what they thought their users felt - that it's creepy to be asked to share that much with a site that ostensibly has no need for it. This group said that if they don't need the user's social graph for anything, they don't want anything to do with it. I wasn't expecting to see RPs taking this perspective. It was great to hear this coming from the audience and not the podium!
> >
>
> As a site owner I might be able to answer this (Facebook is an example, other sites might apply):
> 1. site owners/developers are users too, they don't want to give Facebook more power and don't want to give random strangers access to any Facebook data
> 2. a site has to convince users to join/participate, a Facebook login might be quick (because they might already be logged in), but also a barrier to do so for many users (see 1. second part)
> 3. maybe even 3, if Facebook messes up, Facebook can still become the next MySpace, right ? Well, in theory. Relying on a protocol is much better than a site.
>
> It's not a PRISM-thing, it's always been this way.
>
> Personally, one of my favorite advantages of this protocol is the possibility of a Firefox desktop native interface. :-) And eventually, I hope, every browser.
>
> https://wiki.mozilla.org/images/4/4c/IdentityInTheBrowser.png
>
> I don't think I've seen it mentioned in many of your presentations.
>
> This makes it easier for users to trust the mechanism, because it is safe, it relieves barriers for signup at sites and last but not least, it's quick, easy, painless.
>
> On mobile that last bit is also important, a quick method does not really exist yet.

And authentication problems are everywhere, we really, really need better protocols and support for it.

Did you know POTS and maybe eventually the telephone number are going away ?:

http://recordings.conf.meetecho.com/Recordings/watch.jsp?recording=IETF86_tech_plenary&chapter=part_5

Oops, there is an other authentication/ID problem:

http://www.disruptivetelephony.com/2013/07/can-we-create-a-secure-caller-id-for-voip-join-tomorrows-stir-bof-to-learn-more.html

The CTO of the US FCC says:
"WebRTC basically turns voice into just an other Javascript application"

[Melvin Carvalho]

Also something I have wondered about.

> - How does this compare to signing in with Facebook?
>

What was the answer to this. Facebook is still the leading identity
solution imho, tho persona still has potential to catch up.

> - How could I use this as a simple sign-in to enable comments on my site?
> - What happens if my email account is compromised?
>

Also a good question. My biggest over reliance on the web today is email.
I wonder if Persona will increase this reliance or be a way to take more
control of my own identity.

>
> Anecdotally, I can confirm what others have been saying - that "Sign in
> using email" is better than "Sign in with Persona".
>

Makes sense.

> People responded very positively to the idea that they don't have to store
> passwords.
>

I've developing a healthy paranoia for remotely stores passwords. We
started with plain text, but that got compromised. We moved to encrypted,
but that was crackable. Now people use salt + encryption, but that can be
bruth forced.

I think we need computationally expensive hash functions now, how will
mozilla protect our passwords.

>
> Some RPs were quite positive about *not* having to use twitter or facebook
> auth. They *don't* want access to people's social graph and histories,
> which they view as a liability akin to storing passwords.
>
> When I demonstrated writing an IdP, I showed shane's sendmypin.org, which
> SMSs a PIN, and my gno.mn, which uses the yubikey. Interestingly, the
> black hats in the audience who profess a strong dislike of
> sign-in-everywhere systems were enthusiastic that they could use a yubikey
> and a phone pin as the basis for authentication. So the black hats were
> won over. Finally, some users who care about security! ;)
>
> Unrelated, the Q&A questions at the close of the conference turned to
> debugging node.js apps and tracking down memory leaks. I pointed out
> node-inspector (https://github.com/node-inspector/node-inspector) and
> node-memwatch (https://github.com/lloyd/node-memwatch), both of which
> were already familiar to and used by some of the other panelists and
> members of the audience. w00t :)
>
> Cheers
> j

[Melvin Carvalho]

On 29 July 2013 20:13, Jedediah Parsons <jpar...@mozilla.com> wrote:

>

> Hi, all,
>
> I talked about Persona at DevCon5 in New York last week. Many of the
> attendants are mobile app developers who still rely on native or hybrid
> frameworks, so I tried especially to show Persona on mobile/native.
>
> Few people in the audience had heard of Persona. I think there were about
> 60 or 70 people in attendance.
>
> My slides can be converted to an html presentation with deck.js using m2d:
> https://github.com/jedp/devcon5-2013
>
> I demonstrated and discussed:
> - persona on desktop
> - persona on mobile (incl firefoxos)
> - sign-in flow on sloblog.io
> - problems with passwords today
> - the persona sign-in flow
> - why we use email addresses
>

I dont think "why we use email" is accurate here. People use email because
it's useful.

A clearer message might be why persona "overloads" email, and uses it for
about half a dozen different purposes.

This for me is a fundamental difference between facebook and persona.
Facebook will also use email when it's useful, but they'll also use a real
name, or a phone number, or a graph profile url. The use the best tool for
the best job by linking the many facets of an identity together into a
whole. Persona at this point in time are trying to overload email to do
many different things.

[Lloyd Hilaiel]

On Jul 30, 2013, at 6:19 AM, Melvin Carvalho <melvinc...@gmail.com> wrote:

> On 29 July 2013 20:13, Jedediah Parsons <jpar...@mozilla.com> wrote:
>
>>
>> Hi, all,
>>
>> I talked about Persona at DevCon5 in New York last week. Many of the
>> attendants are mobile app developers who still rely on native or hybrid
>> frameworks, so I tried especially to show Persona on mobile/native.
>>
>> Few people in the audience had heard of Persona. I think there were about
>> 60 or 70 people in attendance.
>>
>> My slides can be converted to an html presentation with deck.js using m2d:
>> https://github.com/jedp/devcon5-2013
>>
>> I demonstrated and discussed:
>> - persona on desktop
>> - persona on mobile (incl firefoxos)
>> - sign-in flow on sloblog.io
>> - problems with passwords today
>> - the persona sign-in flow
>> - why we use email addresses
>>
>
> I dont think "why we use email" is accurate here. People use email because
> it's useful.
>
> A clearer message might be why persona "overloads" email, and uses it for
> about half a dozen different purposes.

The way I like to think about it is that persona simply paves a cowpath. Email ownership already is ultimate authority for lots of sites. An Example of this is many people are forced to reset their password every time they use a service. By decreasing the cost of proving ownership of an email, we can short circuit the login process and make per-site passwords unnecessary.

lloyd

[Melvin Carvalho]

Sure that makes sense, I do agree email has it's uses. I think it's fair
to say that email is part of your online identity. It's about using the
right tool for the right job.