On 30/10/14 21:07, Melvin Carvalho wrote:
> I think it's slightly too centralized.
+1.
I have been working with Persona/BrowserID since the very beginning. I
understand the vision and I know that being easy and providing a
fallback for IdP is a need.
But a major selling point of Persona is the privacy advantages and
self-hosting IdP. We are falling *VERY* short on this.
I trust Mozilla a lot, but:
1. I need to link Javascript code from Mozilla in my webpage. Any user
access will hit mozilla servers. Not nice for privacy. You lose a
privacy advocate there.
Moreover, any malicious alteration of that remotely hosted JS can be
disastrous.
I know that the protocol and the API are evolving and that is the point
of importing external code, but we have been out there for years. Time
to write V1.0 on stone.
2. To me, failing to integrate persona JS on regular Firefox codebase
was really disappointing. That means that we will rely on foreign JS
code not able to keep some data really secure on the local browser.
I realize that even if Firefox were Persona-native, we would need that
Javascript to support all other browsers anyway. Disappointing,
nonetheless.
3. 99.99% percent of libraries out there just delegate verification to
Mozilla. Even work I consider "official", like "mod_authnz_persona",
relies in Mozilla verifier. Persona SHOULD push for local verifiers.
This is critical. Current standard Persona deploy is worse for privacy,
security and user-factor than deploying regular FB, Google, even GitHub
logins.
We are alienating privacy advocated because Persona long term vision is
cute but currently the incentives are on the side of just delegating
EVERYTHING in the IdP fallback and the Mozilla verifier. Anybody trying
to do better will be hit hard by reality of current codebases and
"implicit" deploy culture.
The situation is this:
1. If I am a privacy/self reliance advocate, all my users are hitting
mozilla servers in each access. I can't find libraries doing local
verification. The work on most of them looks like stopped, I don't know
if because they are dead or because they are feature complete.
2. If I am not an advocate, just doing OAUTH 2.0 thru Google, FB, etc.,
is easy enough, there are plenty of libraries and my users are happy.
3. Hosting an IdP is pointless if Persona support is marginal and, for
the very few websites out there using it, I can count on the IdP fallback.
Briefly, Persona vision is nice but currently it doesn't provide any
real advantage over OAUTH 2.0 and massive identify providers like
Facebook. In fact the experience is WORSE. Only advocates are using it,
and they are being very badly served by libraries not up to the task.
I insist: I understand the need of the IdP fallback and the convenience
of the remote verifier. They provide bootstrapping and trivial
deployment effort. But people is lazy and libraries are lazy too. The
lazy approach will be the default and currently the lazy approach is
working against Persona long term goals.
If libraries like "mod_authnz_persona" could: a) host the Persona
Javascript, maybe by just doing a lazy fetch per hour to the Mozilla
canonical copy and then serving to local users like a cache and b) doing
local verifications, a privacy advocate would only need the IdP fallback
from Mozilla.
If the IdP fallback could be replaced/augmented with some distributed
verification capabilities with, lets say, X.509 client certificates
would be AMAZING.
We need champions too. Success examples: An university using Persona,
Goverments (doing local verifications and pushing IdP deployments).
Detailed examples of IdP deployments doing trivial username/password to
client X.509 certificates to 2-factors.
We need blog posts, twitters, REFERENCES! :-)
A big complexity of Persona is the reliance on Javascript.
"mod_authnz_persona" is very interesting because it is a drop-in module
for Apache that just provide "REMOTE_USER" variable to the backend. I
don't need to touch ANYTHING in my application, just replace an
autentication engine by other. I don't need to care about how to
integrate the Persona Observer API, or Goldilocks or whatever.
I only need a way to provide "mod_authnz_persona" with:
a) A way to logout (an URL you visit and the autentication cookie is
deleted). This is already available.
b) A way to notify that a resource requests authentication. For
instance, because the backend is providing a 401 status code. This is
useful because the same URL could show different content depending of
authentication status. This feature could be optional just protecting a
single URL ("/login"), if the authentication cookie is available in the
rest of the website.
c) An expiration policy for the authentication cookies.
d) A way to request verification of a given email. It should do a full
local verification, relying only on the IdP fallback if needed.
With these changes I can deploy a Persona RP with no reliance at all on
Mozilla if my users have a primary IdP... my next fight :-).
But being an IdP is far simpler than doing local verifications!.
Yes, I know that many/most sites can't install an Apache module in the
system. Different options like an authentication WSGI module would be
need. That has been my preferred solution so far.
Ideally Mozilla should invest in a few high quality RP implementations
in key projects like Django, Flask, Pyramid (sorry, I am a Python guy),
Wordpress, whatever. Maybe 50 key projects, serving millions of
websites. People is lazy, lets do defaults appropriate and aligned with
Persona long term goals!.
A final comment: public communication is key. Persona mindshare is
marginal. Even me, involved with it, don't know what is going on with
Persona, immediate goals, work in progress, how to help... 99.9999% of
the webmasters out there are not subscribed to the mailing list.
I hope the best for Persona. I like the technology and the long term
potential. I have a deep investment on it. I feel Mozilla made a mistake
when moved it to "community support" because there is no community
building, a plan, a strategy to improve adoption.
I wonder if somebody has surveyed application servers out there, choose
the top 50 and worked to champion Persona there providing good quality
code (local verifiers!), document how to use it, provide detailed
examples from trivial to sophisticated... :-). I guess Persona has
champions out there, in those projects, that would love to be nurtured
by Mozilla and maybe even get a bit of money of it. With good base
libraries in a handful of languages, how long would take to write an
authentication plugin? A week?. I know I would love doing it far below
my standard pay rates :), because I want it to SUCCEED.
--
Jesús Cea Avión _/_/ _/_/_/ _/_/_/
jc...@jcea.es -
http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
Twitter: @jcea _/_/ _/_/ _/_/_/_/_/
jabber /
xmpp:jc...@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz