This worries me a little. Perhaps because I don't fully understand what's going on under the bonnet. When I give a website my email address, some communication must happen between that website and persona. So there's some centralised persona server sending auth tokens back and forth between websites that use persona api? Am I misunderstanding?
If that's not the case, then what, exactly, information does website X have about me now that I have 'logged in using persona'?
I had this misunderstanding also, but if I understand it correctly...
Basically a site using Persona tries to send you to your email provider to authenticate. If your email provider is running Persona, you'll authenticate through them, and the email provider sends a token back confirming your identity.
Mozilla is the default identity provider for people whose email providers don't run Persona (yet). Once the project gains widespread adoption, Mozilla won't be processing much if any authentications because they'll be distributed to email providers.
Also it will in theory work as a browser extension, so your email provider sends your browser the token, and your browser sends the token to the websites you log in to. So your email provider doesn't know where you're logging in.
>Also it will in theory work as a browser extension, so your email provider sends your browser the token, and your browser sends the token to the websites you log in to. So your email provider doesn't know where you're logging in.
I don't understand this. Presumably there's nothing stopping Website X sending both: a) my email address; and b) Website X's URL.
Scenario: Joe Bloggs tries to log in to www.SiteThatSellsCars.com using Persona. Joe enters his email address. SiteThatSellsCars sends Joe's email address and "www.SiteThatSellsCars.com" to Joe's ISP. This translates to SiteThatSellsCars saying, "Hey, Joe's ISP, Joe is looking to buy a car, you should send him a metric shit-load of car adverts. He might not like it, but whatever. Thanks for the $20!". Then Joe's ISP replies with, "I sent Joe a token to his browser so he thinks he still has his privacy, but fuck him. Every customer you tell us about, we'll give you $20."
The site doesn't send anything at all to the identity provider. Your browser sends an authentication requests to the identity provider and relay it the site it wants to log into.
The site then checks the request is really signed by the identity provider and lets the user in.
The identity provider knows two things:
- You asked to log in somewhere
- At least one person logged to site X because site X asked for its public key
> I don't understand this. Presumably there's nothing stopping Website X sending both: a) my email address; and b) Website X's URL.
Yes, but there's nothing stopping them from doing that today. Persona doesn't help you if the site you sign into can't be trusted with the identity you give them. But nothing requires you to give them your normal e-mail address - you could just use throwaway if you find that a concern.
This is not what Persona tries to fix.
Persona is single sign-on where the identity provider does not know which site you sign in to, unlike current solutions where e.g. Google, Twitter or Facebook knows where you sign in whether or not the site you sign into is trustworthy or not.
> So your email provider doesn't know where you're logging in.
This is already the case. For browsers that use the shim, the certificate is stored in localStorage on the login.persona.org domain, and then given to the website you're trying to login to.
If that's not the case, then what, exactly, information does website X have about me now that I have 'logged in using persona'?