info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
JSFoo presentation report
12 views
Skip to first unread message
Francois Marier
Sep 26, 2013, 10:54:56 PM9/26/13
to
Last week I talked [1] about Persona at JSFoo [2] in Bangalore. It felt
like the most effective talk I've done so far, not just based on the
number of people that saw it (around 500), but mostly for the number of
people that came to ask questions afterwards and who committed [3] to
implementing it on their sites.
I was particularly interested to hear the company that put together the
conference say that they will implement it on their conference website
(joining linux.conf.au and PyCon AU who did the same last year).
# Questions from the audience
* How does a company add support at the IdP level?
* How can you revoke a cert given to a user?
* Why is the fallback IdP asking for a password is the whole point of
Persona is to get rid of passwords?
* My service is already using a popup and I want to use Persona in it,
but I don't want to get a double popup, is there a way to avoid the
popup?
* What if I want to access an API that uses a REST API, can I use
Persona to control auth to that API?
* Is there a way to customize the look and feel of the confirmation
email sent by Persona?
* Does Persona give me any other information about the user than just
the email address?
* How are secret keys secure if localStorage is vulnerable to any
cross-site scripting attacks?
* How can I authentication an offline application against Persona?
* How safe is it to use Persona on a shared computer?
* Do you have any suggestions to help sites transition from a
traditional login system to Persona?
* Can I think of this as OpenID but using email addresses?
Francois
[1] Slides at
https://speakerdeck.com/fmarier/killing-passwords-with-javascript and
video at https://www.youtube.com/watch?v=Hqs6JwOmALg
[2] https://jsfoo.in/2013/
[3] A few of whom did so on Twitter:
https://twitter.com/jackerhack/status/381020514652663809
https://twitter.com/AviShastry/status/381022271109746688
https://twitter.com/sdaas/status/381022271797592065
like the most effective talk I've done so far, not just based on the
number of people that saw it (around 500), but mostly for the number of
people that came to ask questions afterwards and who committed [3] to
implementing it on their sites.
I was particularly interested to hear the company that put together the
conference say that they will implement it on their conference website
(joining linux.conf.au and PyCon AU who did the same last year).
# Questions from the audience
* How does a company add support at the IdP level?
* How can you revoke a cert given to a user?
* Why is the fallback IdP asking for a password is the whole point of
Persona is to get rid of passwords?
* My service is already using a popup and I want to use Persona in it,
but I don't want to get a double popup, is there a way to avoid the
popup?
* What if I want to access an API that uses a REST API, can I use
Persona to control auth to that API?
* Is there a way to customize the look and feel of the confirmation
email sent by Persona?
* Does Persona give me any other information about the user than just
the email address?
* How are secret keys secure if localStorage is vulnerable to any
cross-site scripting attacks?
* How can I authentication an offline application against Persona?
* How safe is it to use Persona on a shared computer?
* Do you have any suggestions to help sites transition from a
traditional login system to Persona?
* Can I think of this as OpenID but using email addresses?
Francois
[1] Slides at
https://speakerdeck.com/fmarier/killing-passwords-with-javascript and
video at https://www.youtube.com/watch?v=Hqs6JwOmALg
[2] https://jsfoo.in/2013/
[3] A few of whom did so on Twitter:
https://twitter.com/jackerhack/status/381020514652663809
https://twitter.com/AviShastry/status/381022271109746688
https://twitter.com/sdaas/status/381022271797592065
Jonathan Brown
Oct 3, 2013, 12:53:53 PM10/3/13
to Francois Marier, dev-id...@lists.mozilla.org
>
> * Why is the fallback IdP asking for a password is the whole point of
> Persona is to get rid of passwords?
>
Yeah - I think this is over-engineered. It should be per-browser rather
> * Why is the fallback IdP asking for a password is the whole point of
> Persona is to get rid of passwords?
>
than having to enter a password.
Dirkjan Ochtman
Oct 3, 2013, 2:04:21 PM10/3/13
to Jonathan Brown, Francois Marier, dev-id...@lists.mozilla.org
On Thu, Oct 3, 2013 at 6:53 PM, Jonathan Brown <jbr...@bluedroplet.com> wrote:
>> * Why is the fallback IdP asking for a password is the whole point of
>> Persona is to get rid of passwords?
>
>> * Why is the fallback IdP asking for a password is the whole point of
>> Persona is to get rid of passwords?
>
> Yeah - I think this is over-engineered. It should be per-browser rather
> than having to enter a password.
See also the Paris idea to allow email-notification-only mode.
> than having to enter a password.
Cheers,
Dirkjan
0 new messages