Is shutting down Persona the best idea?

146 views
Skip to first unread message

ad...@nsuchy.top

unread,
Jan 13, 2016, 1:35:09 PM1/13/16
to
I understand that on November 30th Persona will be gone and the data deleted. Is this the best idea? What will happen to unmaintained websites which have no other login system? Is it a good idea to say oh well and let them become non-functioning? Consider this...

Ryan Kelly

unread,
Jan 18, 2016, 1:57:07 AM1/18/16
to ad...@nsuchy.top, dev-id...@lists.mozilla.org
On 14/01/2016 05:35, ad...@nsuchy.top wrote:
> I understand that on November 30th Persona will be gone and the data deleted. Is this the best idea? What will happen to unmaintained websites which have no other login system? Is it a good idea to say oh well and let them become non-functioning? Consider this...

Thanks for the question, and sorry this got lost in my inbox for a while
due to travel. It's an important point and something we've definitely
thought about a lot. I said a few more words about it on the wiki [1]
but will quote them here as well:

"""
Hosting a service at the level of security and availability required for
an authentication system is no small undertaking, and Mozilla can no
longer justify dedicating limited resources to this project.
"""

For the small number of websites that may not be able to migrate away
from Persona, a hard shutdown does indeed mean that logins will no
longer work, which is not a great outcome.

But keeping the service online without adequate maintenance would be an
even worse outcome - logins that work intermittently and may have
unpatched security vulnerabilities.


Cheers,

Ryan


[1]
https://wiki.mozilla.org/Identity/Persona_Shutdown_Guidelines_for_Reliers#Why_is_persona.org_being_shut_down.3F

Marcio Galli

unread,
Jan 18, 2016, 4:01:51 AM1/18/16
to Ryan Kelly, ad...@nsuchy.top, dev-id...@lists.mozilla.org
Would be an amazing contribution if Mozilla could actually disclose
the costs of engineering and give a hint on the actual bugs problems
per time. I just figure that a flipside of opensource/Mozilla/failures
is actually in being more open about the learnings and costs of
engineering - not sure if makes sense. I see that there is a section
for self-hosting that partially covers it. Do you think that the list
of open bugs is significant as a snapshot for someone willing to
understand engineering cost/key activities?

m



On Mon, Jan 18, 2016 at 4:56 AM, Ryan Kelly <rfk...@mozilla.com> wrote:
> On 14/01/2016 05:35, ad...@nsuchy.top wrote:
>> I understand that on November 30th Persona will be gone and the data deleted. Is this the best idea? What will happen to unmaintained websites which have no other login system? Is it a good idea to say oh well and let them become non-functioning? Consider this...
>
> Thanks for the question, and sorry this got lost in my inbox for a while
> due to travel. It's an important point and something we've definitely
> thought about a lot. I said a few more words about it on the wiki [1]
> but will quote them here as well:
>
> """
> Hosting a service at the level of security and availability required for
> an authentication system is no small undertaking, and Mozilla can no
> longer justify dedicating limited resources to this project.
> """
>
> For the small number of websites that may not be able to migrate away
> from Persona, a hard shutdown does indeed mean that logins will no
> longer work, which is not a great outcome.
>
> But keeping the service online without adequate maintenance would be an
> even worse outcome - logins that work intermittently and may have
> unpatched security vulnerabilities.
>
>
> Cheers,
>
> Ryan
>
>
> [1]
> https://wiki.mozilla.org/Identity/Persona_Shutdown_Guidelines_for_Reliers#Why_is_persona.org_being_shut_down.3F
> _______________________________________________
> dev-identity mailing list
> dev-id...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-identity



--
www.telasocial.com

bryand...@gmail.com

unread,
Jan 24, 2016, 11:03:38 PM1/24/16
to Marcio Galli, Ryan Kelly, ad...@nsuchy.top, dev-id...@lists.mozilla.org
My 2 cents:

I've just finished migrating my service away from Persona to a
password-less authentication system.

I was not excited about doing this work, however, now that it is done and
Persona is gone, I am quite happy about it:
- site loads faster
- no popup windows
- no iOS issues related to popups
- no cross-domain requests
- no reliance on a 3rd party

For me, it was complacency keeping me on Persona, and the shutdown deadline
notice was the motivation I needed to improve my service by removing
passwords entirely.

I understand the Persona shutdown will break sites that are no longer being
maintained, and that is unfortunate, but for me this change was a Good
Thing.




On Mon, Jan 18, 2016 at 1:01 AM, Marcio Galli <mga...@telasocial.com> wrote:

> Would be an amazing contribution if Mozilla could actually disclose
> the costs of engineering and give a hint on the actual bugs problems
> per time. I just figure that a flipside of opensource/Mozilla/failures
> is actually in being more open about the learnings and costs of
> engineering - not sure if makes sense. I see that there is a section
> for self-hosting that partially covers it. Do you think that the list
> of open bugs is significant as a snapshot for someone willing to
> understand engineering cost/key activities?
>
> m
>
>
>
> On Mon, Jan 18, 2016 at 4:56 AM, Ryan Kelly <rfk...@mozilla.com> wrote:
> > On 14/01/2016 05:35, ad...@nsuchy.top wrote:

Andrew Ducker

unread,
Jan 25, 2016, 9:08:14 AM1/25/16
to
What system did you move to? I need to do this work at some point in the next month or two, and any advice is gratefully accepted.

Dirkjan Ochtman

unread,
Jan 25, 2016, 11:43:42 AM1/25/16
to Andrew Ducker, dev-id...@lists.mozilla.org
On Mon, Jan 25, 2016 at 3:08 PM, Andrew Ducker <and...@ducker.org.uk> wrote:
> What system did you move to? I need to do this work at some point in the next month or two, and any advice is gratefully accepted.

Note also that a small group of people is currently hacking on a new
BrowserID-like protocol, here:

https://github.com/letsauth/letsauth.github.io/wiki

You might want to see how they fare (the group includes some people
who also worked on Persona, including myself).

Cheers,

Dirkjan

Melvin Carvalho

unread,
Jan 25, 2016, 12:54:05 PM1/25/16
to Dirkjan Ochtman, dev-id...@lists.mozilla.org, Andrew Ducker
On 25 January 2016 at 17:43, Dirkjan Ochtman <dir...@ochtman.nl> wrote:

> On Mon, Jan 25, 2016 at 3:08 PM, Andrew Ducker <and...@ducker.org.uk>
> wrote:
> Note also that a small group of people is currently hacking on a new
> BrowserID-like protocol, here:
>
> https://github.com/letsauth/letsauth.github.io/wiki
>
> You might want to see how they fare (the group includes some people
> who also worked on Persona, including myself).
>

Nice idea.

But it suffers from the same weaknesses as Persona.

Namely:

- Lacks slightly a clean separation of identity and and authentication
(verifying identity) -- I may be wrong there

- Is too tightly bound to email. Inevitably you'll go up against the big
webmail providers who will end up shutting you down. Or you'll introduce a
central point of failure a la Persona.

Do we really want to repeat the same mistakes again? A much better way
IMHO is to allow any type of identity (ie a URI) and offer the user that
freedom, which OAuth does a lot better. Then allow cryptographic proofs to
verify that identity, instead of having to remember a password for every
site -- or in the case of Persona two passwords per email address!


>
> Cheers,
>
> Dirkjan

bryand...@gmail.com

unread,
Jan 25, 2016, 1:21:52 PM1/25/16
to Melvin Carvalho, Dirkjan Ochtman, Andrew Ducker, dev-id...@lists.mozilla.org
Andrew,

I looked originally at https://passwordless.net/ , which I used as
inspiration for my own (non node-js) implementation.

The big weakness of Passwordless that I had to overcome was the
verification link getting clicked on a different user agent. e.g. you are
trying to log in on your desktop browser, but click the verification link
on your phone. This was easily solved using a websocket on the original
page to receive a pushed token as soon as the link is clicked. I guess you
could also use long polling. Not sure what Persona did, but they also
solved this same issue.

Melvin,

If your use case involves being able to communicate with the user via
email, as I suspect many use cases do, then identity being bound to email
is ideal.



On Mon, Jan 25, 2016 at 9:53 AM, Melvin Carvalho <melvinc...@gmail.com>
wrote:

> On 25 January 2016 at 17:43, Dirkjan Ochtman <dir...@ochtman.nl> wrote:
>
> > On Mon, Jan 25, 2016 at 3:08 PM, Andrew Ducker <and...@ducker.org.uk>
> > wrote:
> > Note also that a small group of people is currently hacking on a new
> > BrowserID-like protocol, here:
> >
> > https://github.com/letsauth/letsauth.github.io/wiki
> >
> > You might want to see how they fare (the group includes some people
> > who also worked on Persona, including myself).
> >
>
> Nice idea.
>
> But it suffers from the same weaknesses as Persona.
>
> Namely:
>
> - Lacks slightly a clean separation of identity and and authentication
> (verifying identity) -- I may be wrong there
>
> - Is too tightly bound to email. Inevitably you'll go up against the big
> webmail providers who will end up shutting you down. Or you'll introduce a
> central point of failure a la Persona.
>
> Do we really want to repeat the same mistakes again? A much better way
> IMHO is to allow any type of identity (ie a URI) and offer the user that
> freedom, which OAuth does a lot better. Then allow cryptographic proofs to
> verify that identity, instead of having to remember a password for every
> site -- or in the case of Persona two passwords per email address!
>
>
> >
> > Cheers,
> >
> > Dirkjan

Melvin Carvalho

unread,
Jan 25, 2016, 1:27:21 PM1/25/16
to bryand...@gmail.com, Dirkjan Ochtman, Andrew Ducker, dev-id...@lists.mozilla.org
On 25 January 2016 at 19:21, <bryand...@gmail.com> wrote:

> Andrew,
>
> I looked originally at https://passwordless.net/ , which I used as
> inspiration for my own (non node-js) implementation.
>
> The big weakness of Passwordless that I had to overcome was the
> verification link getting clicked on a different user agent. e.g. you are
> trying to log in on your desktop browser, but click the verification link
> on your phone. This was easily solved using a websocket on the original
> page to receive a pushed token as soon as the link is clicked. I guess you
> could also use long polling. Not sure what Persona did, but they also
> solved this same issue.
>
> Melvin,
>
> If your use case involves being able to communicate with the user via
> email, as I suspect many use cases do, then identity being bound to email
> is ideal.
>

I dont think this is accurate. What you are saying is you'd like to
overload email (and only email) to do 3 quite different things:

1. Be a primary identifier for verification.
2. Be a memorable string you type into a form
3. Be a message delivery system.

This is from one perspective a neat hack, but from another perspective a
horrible architectural design decision.

Overloading is always a great sugar rush as it gets something working quite
fast (as happened with persona) ... the cracks appear down the line.

Typically in programming you tie key value pairs to entities (think JSON)
and can enrich identity with say your name, your avatar, your email address
... in fact it's open ended.


>
>
>
>
> On Mon, Jan 25, 2016 at 9:53 AM, Melvin Carvalho <melvinc...@gmail.com
> > wrote:
>
>> On 25 January 2016 at 17:43, Dirkjan Ochtman <dir...@ochtman.nl> wrote:
>>
>> > On Mon, Jan 25, 2016 at 3:08 PM, Andrew Ducker <and...@ducker.org.uk>
>> > wrote:
>> > Note also that a small group of people is currently hacking on a new
>> > BrowserID-like protocol, here:
>> >
>> > https://github.com/letsauth/letsauth.github.io/wiki
>> >
>> > You might want to see how they fare (the group includes some people
>> > who also worked on Persona, including myself).
>> >
>>
>> Nice idea.
>>
>> But it suffers from the same weaknesses as Persona.
>>
>> Namely:
>>
>> - Lacks slightly a clean separation of identity and and authentication
>> (verifying identity) -- I may be wrong there
>>
>> - Is too tightly bound to email. Inevitably you'll go up against the big
>> webmail providers who will end up shutting you down. Or you'll introduce
>> a
>> central point of failure a la Persona.
>>
>> Do we really want to repeat the same mistakes again? A much better way
>> IMHO is to allow any type of identity (ie a URI) and offer the user that
>> freedom, which OAuth does a lot better. Then allow cryptographic proofs
>> to
>> verify that identity, instead of having to remember a password for every
>> site -- or in the case of Persona two passwords per email address!
>>
>>
>> >
>> > Cheers,
>> >
>> > Dirkjan
Message has been deleted
Message has been deleted

israelga...@gmail.com

unread,
Feb 3, 2016, 3:58:14 AM2/3/16
to

israelga...@gmail.com

unread,
Feb 3, 2016, 4:10:27 AM2/3/16
to
On Wednesday, January 13, 2016 at 12:35:09 PM UTC-6, ad...@nsuchy.top wrote:

israelga...@gmail.com

unread,
Feb 3, 2016, 4:25:20 AM2/3/16
to
On Wednesday, January 13, 2016 at 12:35:09 PM UTC-6, ad...@nsuchy.top wrote:
> I understand that on November 30th Persona will be gone and the data deleted. Is this the best idea? What will happen to unmaintained websites which have no other login system? Is it a good idea to say oh well and let them become non-functioning? Consider this...

My messages
Reply all
Reply to author
Forward
0 new messages