Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm genuinely curious. I did my bachelor's thesis on the identity ecosystem. I was an early adopter of CardSpace, iNames, OpenID, and any other digital identity solution that came along and I watched them wither from lack of interest. I was continually told that passwords are good enough, and that nobody is interested in a digital identity solution.

Persona doesn't sound that different from solutions that came before it. It sounds really similar to CardSpace, especially with how easily you can integrate it into a site. So why would Persona have a chance at succeeding where so many others have failed? Is it just a matter of timing, coming after some major password leaks, or are they hoping the Mozilla name will buy them support from the developer community?



I'd say a key innovation of Mozilla Persona is the marketing. It's got the Mozilla brand on it, it's well explained, the demos are slick. That may seem like fluff but it may make a significant difference in adoption. (See also: Stripe.)


I am not familiar with CardSpaces, but a considerable difference between OpenID and Persona is a matter of anonymity. With OpenID, your OpenID provider (e.g. Google) can track you as you log to your various accounts. By opposition, with Persona, the Persona provider does not get any meaningful information that can be used to blow your anonymity.


tl;dr - Here's a video demonstration: http://youtu.be/0_6rC025sK0?t=34m16s

CardSpace was a Microsoft project led by Kim Cameron, the godfather of digital identity. They originally wanted to make it part of Windows Vista, but it was dropped for lack of interest. It was an open standard, and there were browser plugins to make it work in other browsers and operating systems. Microsoft knew they couldn't make it a Windows-only thing if they wanted people adopting it. They just wanted to be at the forefront of security for once.

A developer would add meta tags to a site's login page with a URL to post identity info to and a list of information it's requesting. That would trigger the browser (or plugin) to open a modal display of identity "cards", which the user could choose from. Then it would show what information the site requested and they could deny individual pieces of info. The data would be posted back to the site, along with a unique signature for that user & site.

Cards could be self-issued or issued by a third party, like your employer or bank. They could have graphical backgrounds applied so they looked more like ID cards or credit cards. It was a great UI for identity, and easy for developers to use. But I think the Microsoft name tarnished it. I know people outside the identity community were making comments about how this was Microsoft's attempt to become Big Brother & so forth, even though Microsoft was completely out of the communication loop between the user and the site.


Sounds interesting, but I never heard of it. This is a common issue for big corps - they see good ideas as not being popular enough, so they don't market them. Self-fulfilling prophecy.


You lost at "browser plugins". Persona uses a JS shim that requires no plugins or browser changes.


CardSpace was 2003ish.. "browser plugins" were the standard option for all kind of things, while JS shims merely provided <blink> on non-MS browsers.


I tried logging in to OpenPhoto with my Gmail address, and there's my profile photo pulled from my Google account. How can I be sure no tracks were created in the process of getting that image?


Once the site you sign into has your identity, the protocol can't stop them announcing to the world that you have signed in. But it doesn't require the ID provider to know where you're signing in.

Also, are you sure it's not from gravatar? In my case, it's the same image as the google profile photo.


My Gmail and Gravatar are different, and it definitely didn't pull the one from Gmail. I use that image on other sites, but not on GMail.

So I think it's very likely that it's just Gravatar, and all you need is an email address to pull that.


I didn't remember setting up a Gravatar for my Gmail address, but it turns out I did, so yes, it's entirely possible it's from Gravatar. I feel better about that, although I guess Gravatar can track me now.


If you log into a service, that service can inform arbitrary third parties that you've logged in. By requesting your photo from google it is doing so, but how would you stop this at the protocol level?


To be honest it "feels" like the right time.

But i have to say unless Google/Yahoo/Facebook/Twitter support this it will whitehr and die. I suppose it depends if they are really watching what we login to with openid.


> But i have to say unless Google/Yahoo/Facebook/Twitter support this it will whitehr and die.

Why? It might not become ubiquitous if they big players don't support it, but it could become the alternative that all the other sites use and makes their lives easier.

I don't see a network effect here that means only one method will win and all the others lose.


I wonder how feasible it would be to shim OpenID and OAuth on top of this? Many major email providers offer OpenID or OAuth to verify email ownership. If the browser fell back to using one of those, it wouldn't need to use the alternate user/pass system in Persona.


The Persona team is actively working on this, actually. When a domain can't certify its own users, we fall back to having login.persona.org act as a third-party verifier. Of course, login.persona.org needs proof that you are who you say you are, so on first contact we create a password and do a standard email confirmation. Semantically, we'd get the same assurance, and better UX, by bridging to OpenID (Yahoo, Google) and OAuth (Hotmail). So we're doing that. :) This is a major Q4 goal for us, and we're mostly code-complete, modulo things that turn up in QA.


if I understand you correctly, That rather defeats the privacy defending part of persona. At the moment any site who wants to verify me through openid has to request back to gmail. So google knows every time I log into a openid site, which site it is, and can also refuse to verify me if they choose (not in enough circles, arrived at site with a bing.com referrer header etc etc)

no, I like this design, and I am guessing the reason only time crossword signed up is that google and yahoo like knowing which sites I have visited. Making me even more happy to move away




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: