fmarier
- Karma
- 53
- Created
- September 22, 2010 (15y ago)
- Submissions
- 0
Free and Open Source software developer
https://fmarier.org
[ my public key: https://keybase.io/fmarier; my proof: https://keybase.io/fmarier/sigs/DgmaM0qamFAjS0VuAdpoGMTDMb9JMVMh76QT7KOYjs8 ]
> And how are these cookies cleared? They are cleared the same way as normal cookies: they are visible in the cookie manager where they can be manually deleted, and they are generally included in all of the other…
> did you evaluate various information sources (Ghostery, etc.) before settling on Disconnect? Monica Chew, the engineer who did the bulk of the work on this feature, did consider a number of available lists before…
Yes, your best protection is a short-lived signature on the user's public key. That's up to the identity provider to decide. On our internal Persona IdP (for mozilla.com and mozillafoundation.org email addresses), the…
One thing to note as well is that if a virus steals your email password, then you're a bit screwed too because that can, in most cases, be used to reset your password on other sites. As we've seen with a bunch of…
I think you might be confused with how Persona works, it's not quite like OAuth. There is no "token" in Persona, we have keys and assertions. The first step is for your browser to generate a public and secret keypair.…
Right now, you're right and that's because of the temporary centralized components: 1. JavaScript shim 2. include.js 3. Centralized verifier 4. Fallback identity provider However, we've designed the protocol so that all…
It's definitely in line with what Persona does. After all, Persona evolved from the "Verified Email Protocol" (https://wiki.mozilla.org/Labs/Identity/VerifiedEmailProtocol). Right now, our fallback identity provider…
Yes and we're tracking it here: https://github.com/mozilla/browserid/issues/2158 That list you see in Chromium (which is now also shared with Firefox) is the list of sites that come with HSTS…
Regarding the case-sensitivity issues, this pull request should have fixed all of the outstanding ones: https://github.com/mozilla/browserid/pull/3078 Of course, if you find anything we've missed, please file a bug :)
Indeed, you're not the only one confused by this flow, which is why there's an open bug for it: https://github.com/mozilla/browserid/issues/1232
The fallback identity provider (at login.persona.org) does use email for password resets, but other identity providers will likely use other mechanisms.
Logging into a different device is not a problem, you just get a different certificate in that device's browser and it allows you to login in the same way. When you use a computer that's not your own, Persona keeps the…
One of the reasons why we couldn't just "fix" OpenID is that we wanted a scheme that would be privacy-sensitive. With OpenID, the result of the site redirecting you to the IdP (and then the IdP redirecting you back to…
This talk gets into how the protocol works without getting too much into the crypto: https://www.youtube.com/watch?v=iZBTc7iEkQY
When you click the "Sign in with Persona" button on a website, the dialog that pops up has a "This is not me" button which logs out the current user and allows you to login with a different email.
Can you be more specific as to how you find the UX lacking? Getting UX right is a priority for Persona.
Thanks, that's really good feedback. I've pasted your comments into a bug report: https://github.com/mozilla/browserid/issues/2539 Feel free to jump in if you have ideas on how we can phrase this better.
...and assuming it's written in Python (is it?), it should be pretty easy to do: https://github.com/mozilla/browserid-cookbook/blob/master/py...
> 3.it prompts for your password - gmail password or yahoo password Yes. In this case the "it" that prompts for your password will be an iframe served from gmail/yahoo. Once they support Persona natively,…
In the case of the Javascript shim, the certificates are stored in the browser's local storage. In Firefox (and I believe in most other browsers), this gets deleted when you clear cookies. So you can do that before you…
We'll also be looking into DNS-based delegation for the next beta: https://github.com/mozilla/browserid/issues/1523
You can manage your account (e.g. change password, remove emails) by signing into https://login.persona.org .
Gitorious.org on the other hand is an Open Source startup.
Indeed. Those were exactly the design goals I had when I wrote safe-rm (shortly after deleting my /usr/lib!).
PDF and rough MP3 recording up here: http://people.debian.org/~francois/nzcs/ The video should be available from http://www.innovation.org.nz at some point.