A couple of episodes back, commenter “tom jones” wrote, urging me to study Mozilla Persona: “it seems all the questions you are discussing have already been solved by them.” Well, then.
[This is part of the Federation Conversation series.] This piece in particular left a lot of open questions in my mind, which appear at the end of the sections down below. None of them are rhetorical and I’d like to hear what people think.
So I went and looked at the Persona docs, and had some email back and forth with Lloyd Hilaeil, a Mozillian who works on it, and wired it into my testbed at favcolor.net — and it sort of works.
But please don’t go beat on it yet, there are some missing pieces (see below) and the integration is kinda rough.
So I’m not a world-class Persona expert, but my hands are dirty enough to talk about it. I’ll compare it here and there with the OAuth-2-based OpenID Connect protocol, which I’ll call “OIDC” for short.
Moving target · Persona is one. I had two real irritants in integrating it with my testbed. First of all, as it stands now, the sign-in dialogue is popup-only, which means you have to have a human click something to launch it; you can’t start it programmatically, which means even if you know the email they want to log in with, the IDP they want to use, and every other relevant fact, there’s no way to just launch the freaking sign-in process already. Second, when you do launch the sign-in process, there’s no way to tell Persona which email address you’re trying to sign in with, so (unless they’re already signed in) the luckless human is going to have to type it again.
If you think about it, you can combine those two capabilities with something like AccountChooser and get secure one-click sign-in, and after you’ve experienced that even once, it sure smells like the future.
But, Lloyd tells me (with pointers to Github branches), they’re fixing that stuff. So when they do, I’ll smooth out my testbed integration and encourage everyone to try it.
OK, now let’s ask some questions.
The theory · It’s documented in Protocol Overview, and has the following players: The Browser is being operated by a person with an email address. The IDP is a Persona Identity Provider, for example login.persona.org. The RP is a site that wants to log the user in. It goes like this:
The Browser generates a keypair.
The Browser sends its public key to the IDP.
The IDP authenticates the person at the Browser to an email address, with a traditional password or space-age hardware token or whatever.
The IDP generates an “IDP assertion” containing the email address, the Browser public key, and the IDP’s domain name, signs it with its private key, and sends it to the Browser.
The Browser generates an “RP assertion” containing the RP “origin” (scheme, domain, & port), and signs it with its private key.
To sign in, the Browser sends the RP assertion and IDP assertion off to the RP, which fetches the IDP’s public key, and can verify that:
The IDP issued the IDP assertion.
The IDP authenticated the email in the IDP assertion, and its association with the Browser keypair.
The Browser holds the same keypair and wants to log into the RP.
(I’m omitting a bunch of stuff about discovery and expiry times and so on, because I don’t think they’re essential to understanding.)
It’s pretty comprehensible, and has fewer steps than most OAuth 2 flows. Also, notice that the IDP doesn’t need to know who’s logging into the RP, so in theory there’s less tracking.
I now work among security experts but I’m not one, really, so I’m going to be silent on whether this is more or less secure than OAuth. And I’d encourage people joining the conversation to zip their lips unless they really understand these issues; 14 months in Google’s Identity group has taught me deep humility about the way real security people look at things, and how far I’d have to go to get there.
Question: If you’re an expert, do you think it’s secure enough?
Theory and practice · I was wiring in the Persona software, following the instructions in the (really pretty good) Quick Setup doc, and got to Step 6 in the flow above. I assumed my next task would be figuring out how to fetch the Persona.org keys and validate the assertions. But I don’t have to; the doc says, and I quote:
Once your server has an assertion, how do you verify it? The easiest way is to use a helper service provided by Mozilla. Simply POST the assertion to
https://verifier.login.persona.org/verify
with two parameters:
assertion:
The identity assertion provided by the user.
audience:
The hostname and port of your website. You must hardcode this value in your backend; do not derive it from any data supplied by the user.
I did that, and it works just fine. And, well... of course,
the IDP (in this case login.persona.org
) can now track
everywhere I go and every time I sign in. So, just because you’re using a
protocol that allows tracking avoidance, that doesn’t mean you’ll get
it. Conversely, just because you’re using one like OIDC that tells the IDP
where you’re signing in,
that doesn’t mean your IDP will actually log it. This is about policy not
technology.
Question: How many RPs do you think will bother to fetch the key and check the signatures, and how many will just do the easy thing that works from the Quick Setup?
Site Experience · Persona, by design, only shares its users’ emails with RPs. As far as the RP knows, you’re your email and that’s all you are. OIDC offers (with user consent) a small package of information: Display name, link to a photo, gender, and so on. Nobody’s under any obligation to provide these things, but you almost always get at least a display name, so you can say “Hi Tim Bray!” as opposed to “Hi tbray@textuality.com!”
So I had to do some re-engineering on my demo site to make do with less, and the user experience was a bit impoverished. For a demo that’s OK I guess, but this kind of thing will make a lot of app builders grumpy.
This notion of “social login” is really not a Facebook plot for world domination, it’s something that a whole lot of sites and services find value in. And there are lots of intermediate points between full-on Facebook Connect and nuthin’-but-email Persona.
Question: In terms of telling RPs about the people who sign in, where do you think the sweet spot is?
Human Experience · (Yes, I bend over backward to avoid the word “user”, which I loathe.) In OIDC, an essential step is that the RP registers its app at the IDP, with a human-readable label and optional graphic. And when you try to authenticate, the protocol includes an RP identifier and requires that you get a prompt asking if you’re OK with your identity being sent to that site (identified by text and graphics) before sign-in happens.
On the one hand, this makes sign-in tracking possible in principle. On the other hand, it means you can be really sure you’re never going to be signed in anywhere by surprise. (By the way, the protocol isn’t stupid, you only have to approve sign-in to a site once.)
Question: Which is better?
IDP Experience · In case it’s not obvious, I’m seeing mostly reasonable trade-offs between Persona and OIDC. At the moment, my biggest issue is, do I want to use Mozilla for my IDP? Well, they’re an independent non-profit (even if they are ad-financed), and they produce a totally great browser that I use every day of the year, and the Mozillians I know are by and large cool and smart. I’m a fan! So yeah, maybe.
But maybe not. How many data centers does Mozilla have? How many engineers doing abuse-detection and fraud-prevention and account-recovery? Do they offer two-factor? How good are their lawyers? How well are they defended against attackers who are employees of foreign governments?
I actually think this probably isn’t a problem, because I can’t see why Mozilla would want to build out the horribly-expensive infrastructure and devops you need to be a global-scale IDP. Maybe they’d like to be an (unusual) IDP-with-no-other-service-businesses for people with special privacy requirements? But actually, for the mainstream, I think they’d be perfectly happy if Google and Facebook and Paypal and so on decided to be Persona IDPs.
It wouldn’t be that hard for Google to be a Persona IDP, I think, assuming our security gorgons can get comfy with the protocol.
Question: Should Google be a Persona IDP? Why?
Mobile experience · I’m quite intimate with our work on OAuth-2-enabling Android apps. It was hard because OAuth 2 explicitly calls out to browser redirects, which native mobile apps can’t straightforwardly do.
I note that Persona doesn’t really depend on redirect semantics, and if you could find a way to park a long-lived IDP assertion on a mobile device, that might help things work smoothly in the native-app context.
I haven’t dug into this much, but the idea has promise.
Question: Is there any Persona-on-mobile work going on out there?
That tracking thing · I confess: I. Just. Don’t. Get. It. I am reasonably paranoid; I routinely refuse to share my location, and I am currently refusing to install the mobile app from my bank because it wants permission to read my contacts. Ewwwww... banking isn’t social!
But check out the gory details on who’s watching you. Your phone company knows where you are all the time, and between the spooks, the enemies, and the ad companies, you are being tracked eight ways from center, permanently. The fact that an IDP knows about my (relatively-infrequent) sign-in events seems to me like it’s way off to the right of the privacy decimal point.
Having said that, I acknowledge that there are people who are going to disagree. And yeah, if you’re that kind of person, Persona should (in theory, if not always in practice) allow you to dodge one particular flavor of tracking.
Question: Is there a reason why sign-in tracking is especially pernicious and to be avoided?
The future · I think Persona’s just fine. It didn’t take long to understand and it didn’t take long to integrate with. I don’t know whether or not it’ll become a big mainstream ecosystem or not; wouldn’t be surprised either way.
I’ll tell you one thing I’m pretty sure of, though: The future will have more than one Identity protocol.
My work hooking up Persona to various bits of Identity middleware already has one interesting finding, orthogonal to the goodness-or-not of Persona, and here it is: I’ve had remarkably little pain wiring together real OIDC as practiced by Google, not-quite-real OIDC from Microsoft and Facebook, and Persona, all in one app, with a decent, consistent user experience.
Question: Does anyone not think we’re headed for a multi-protocol future?
Comment feed for ongoing:
From: orcmid (Aug 29 2013, at 11:41)
I think you're right about the social and human aspect, and the desire for a selector, although I think that is partly an RP issue.
It seems to me that a persona-style IDP could certainly cooperate in the presentation of the attestations the RP wants and selecting which one the identified party approves being conveyed to the RP. Since the claims/attestations can be selectively bundled in the package that the IDP signs, this might turn out to be interesting, along with the non-tracking aspect (assuming a well-behaved RP).
[link]
From: Wes Felter (Aug 29 2013, at 13:11)
All email providers should become Persona IDPs; the Mozilla IDP is a temporary fallback. (My only real complaint about Persona is that it has so many crutches that people tend to confuse the crutches for the protocol itself.)
AFAIK the plan is to bake Persona (and no other protocol) into Firefox; once that happens Persona would have a significant advantage in the multi-protocol future.
[link]
From: David Magda (Aug 29 2013, at 14:19)
[quote]That tracking thing--I confess: I. Just. Don’t. Get. It.
[/quote]
This is because you're a middle-age, white, straight male living in a fairly liberal Western democracy.
If you were a minority (e.g., Christian in Iraq, China), a homosexual, and/or a female, living in a region of the world that was not part of NATO or the Commonwealth, being able to associated with your a self-identifying 'social tribe' (to use Doctorow's phrase) would be much more risky to your well-being if that 'tribe' wasn't part of the local majority.
[quote]Is there a reason why sign-in tracking is especially pernicious and to be avoided?[/quote]
Yes: because some people do have something to hide. From their government, their superstitious neighbors, from their family (who may think honour killing is okay).
If we want a sign-in method for the global Internet, then you must think globally culturally and consider about all the situations that this planet's seven billion (and growing) souls could find themselves in.
The choice of anonymity has to be there, even if you personally choose not to use it, don't take it away from others. Optional tracking is fine, baked in tracking is not.
[link]
From: Austin King (Aug 29 2013, at 15:33)
Thanks for these thoughtful questions and evaluation.
Here are my thoughts:
https://ozten.com/psto/2013/08/29/fc4-persona-questions/
[link]
From: Graham Klyne (Aug 30 2013, at 00:40)
Many thanks for this, from one who has not yet found time to dig into the source documents.
Re. your comments on user experience ( additional info, etc), and tracking, it seems to me that much of this variability could be handled through an application's choice of verifier service. From your description, it seems that Persona is a minimal authentication service (by design, I suspect) upon which other levels of service (and intrusion) can be built. The verifier service looks like a point where such additional capabilities might be added.
I could even imagine multiple Persona providers with different verification mechanisms. (I guess that "OK to log in to <foo>?" would need to be handled through browser redirects rather than a simple http service.) Whether that would be a useful or desirable outcome I don't currently have an opinion.
[link]
From: Susan Marshall (Aug 30 2013, at 06:36)
[quote]Your phone company knows where you are all the time, and between the spooks, the enemies, and the ad companies, you are being tracked eight ways from center, permanently.[/quote]
Therefore we should just give up on privacy? I shouldn't need to point out to you that there is close to nobody uncomfortable with corporate tracking who is not also uncomfortable with being tracked by states foreign or domestic, so I'm not exactly sure what your point is.
Entrenchment is a one word counter-argument. The more normal it becomes that all of our digital activity is warehoused and pattern-matched, the harder it becomes to argue that it needs to be stopped. If Facebook and Google know everything about me then why shouldn't the CIA? Why, at that point the information is practically public domain.
I would like to hear you talk more about why you routinely refuse to share your location. What harm could there be in that, and what specific harms are you avoiding that are related to handing over your geographic information in particular and not to handing over your personal information in general?
Your assertion that "just because we can, doesn't mean we do" leaves me completely unmoved. The fact that the protocol allows for wholesale tracking means that at some point these companies will either choose or be compelled to do so. Anyone who doesn't see that is surely making a conscious effort to ignore the trends in Facebook's privacy settings and the NSA's floorspace, and in the corporate culture of the internet in general. We already know that these Googleface Plusbook companies are under pressure from literally dozens of sovereign powers to turn over everything they have and everything they are able to collect. That pressure is only going to get worse, and unless there is widespread popular support for these companies to resist they will eventually relent. Not to mention that these are publicly traded corporations, which puts their CEOs under a legal obligation to maximize profits. The more you know about your customers the more profitable they become as commodities.
It feels a bit disingenuous when you say that you "Just. Don't. Get. It." I wish you wouldn't make a statement of personal ignorance with so much force, as if it's some sort of argument. I realise I'm nit-picking but the "just" in particular makes it sound like you've given up trying to get it, if you really don't get it then I'd rather hear you say "I don't get it yet". You should be aiming to be able to say "yes, I get it, but I am satisfied that these concerns are misplaced."
Let me tell you about my concerns. I have two friends who are political refugees from two different countries, who are in the process of seeking asylum in the country where I live. One of these countries is doing its best impression of an ostrich with regards to the internet, but the other is known to be rather more proactive in gathering information about persons of interest and their associates. I have several friends in this second country and I like to visit there from time to time, so I'd very much prefer that this government did not become aware that I am associating with someone who they see as a wanted criminal. So I find it rather concerning that we're moving towards a future where every Tom, Dick and Harry website that I want to try out can uniquely identify me out of everyone on the internet, that every click I send down the tubes contributes to a corpus of information bound to that identity and that oh and by the way, we'd like access to your list of contacts when you sign in so that we can enrich your user experience. Does this website store my contacts in a database that might be compromised? Is this website already compromised, every login and every bit of information they receive being siphoned away to God knows where for God knows what purpose, where it will remain, we must assume, forever?
[quote]Is there a reason why sign-in tracking is especially pernicious and to be avoided?[/quote]
You are missing the point. Especially pernicious? Of course not. But I've exchanged emails with my friends. For all I know it's enough that I have checked those emails on this computer, and then made this post complaining about government powers from the same MAC address, to get me red-flagged. Maybe it's using the same email to login to facebook, liking the wrong thing, or even having a friend like or share the wrong thing, that will get them to notice me. But maybe it's not until I share my contacts on the wrong website that I get noticed, maybe it's only after all of my movements on the web have been passed through some kind of data-mining engine that I am deemed worthy of attention. And if, one day, I (or God forbid, one of my friends) goes into a border control area and does not come out the other side, there will be no way of knowing which combination of clicks and keystrokes it was that caused it.
So, with all of my metadata falling into a black hole, it's not due to any especial perniciousness but a matter of personal policy that I try to make it at least a little bit difficult to turn my actions on the internet into a coherent profile.
I guess I'd throw your question back at you: Is there a reason why geographic position tracking is especially pernicious and to be avoided? Or do you, like me, simply have a vague fear because you don't fully understand what happens to that data once it's out of your hands?
I'll admit I'm being paranoid. But I know people who have had friends disappear, people who's families are at risk because of the things they have done. These things happen. Paranoid, yes. Too paranoid, there is no such thing.
[link]
From: Michael Schwartz (Aug 30 2013, at 07:56)
Tim: Instead of "Human" try "Person" ... you don't want to discriminate against non-humans... if my dolphin has a Facebook account, shouldn't her privacy also be respected?
[link]
From: Rob Bosman (Aug 30 2013, at 08:59)
A multi-protocol future, no doubt, just like in "the real world". Every country can have it's own passport as long as those who need to work with multiple passports, like customs, have the tools to bridge the gap.
So, what's needed is a standard to bridge the multiple-protocols.
Personally I'm convinced that the ID's of persons, organizations, sub-organizations and roles will sooner or later be blended into one system, since any personal ID is per difinition a temporary RELATION between an individual and an organization. The future moves into the direction of what I called a Universal Relation Manager as the heart of any identity system.
[link]
From: Dogen (Aug 30 2013, at 11:34)
Thanks for this description, it sounds like persona is going in the right direction from my perspective.
What I want is an independent, not-for-profit, IDP system sort of like the Domain Name System.
I do not want my online identity(ies) tied to any single company I am doing business with.
I do want to be able to use my online ID in a way that provides a bare minimum of information about me to the services I sign in to.
If I want a particular service (or all of them) to have more information I want to consciously and deliberately configure this to happen and I want the ability to change this or turn it off. Of course, once I use a service and it knows my ID, it can (and will) start adding attributes that it cares about to that ID.
Is this too much to ask? Is it hard to understand why this makes sense to a lot of people? The current state of chaos seems completely silly.
[link]
From: Mary Freeman (Sep 04 2013, at 08:03)
Freaky: Google+ suggesting my brother as first contact when I sign up for a Gmail account with no physical address (only a town), using my work email, from my work PC at a (relatively) new job.
Annoying: Linked In using friends address books to send "work" email to my "home" email address instead of the one I signed up with. Facebook sending emails to my company address instead of my "work" gmail address.
Complicated: having 6 email addresses to keep my personas separate.
Priceless: knowing that nowadays anything on the internet is a postcard not a private letter.
[link]