[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Mozilla Persona and Tor

On 03/28/2013 08:55 PM, Mike Perry wrote:
Thus spake NoName (antispam06@xxxxxxx):

I have heard in the past about Persona. Actually BrowserID. It
sounded like a bad idea, but I can't recall why I have set this

I guess, you perhaps should read on...

I actually really like the privacy properties Persona *could* provide in
theory. In theory, it can solve most (or maybe even all) of the problems
we have with third party identity providers today.

There seem to be some wrinkles in practice, though.


 From my perspective the most important properties of Persona are:

1. In theory, the identity provider does not discover the sites that you
visit. It merely issues a signed statement that your browser stores to
later present to websites. If this property holds, it's quite awesome.

2. Sites that you visit do not get to inspect which identity statements
you have installed. The user is prompted to send the site either zero or
one of their potentially many signed identity statements. This is also

Agreed. It would be cool if it was limited to these.

In my not so humble opinion: Persona requires an email address!

Email addresses are Personal Identifying Data!

Email addresses are a scarce resource for most of the worlds' people. Even for the enlightened few that have their own domains. Or the people that can use xxx+<variable part>@yyy.zzz like addresses if the site and their provider allows it.

IMHO: The only way to use Persona privately is to use a throwaway email address for each different site.

Regards, Guido.
tor-talk mailing list