- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Thu, 9 May 2013 23:55:44 +0200
- To: Kumar McMillan <kmcmillan@mozilla.com>
- Cc: Manu Sporny <msporny@digitalbazaar.com>, Web Payments CG <public-webpayments@w3.org>
- Message-ID: <CAKaEYh+M6kcGMc_wyn43xSVjQBaofAz=Ptwmy+PMS2-eqUUQJQ@mail.gmail.com>
On 9 May 2013 23:37, Kumar McMillan <kmcmillan@mozilla.com> wrote: > > On May 9, 2013, at 3:17 PM, Manu Sporny <msporny@digitalbazaar.com> wrote: > > > On 05/07/2013 02:05 PM, Melvin Carvalho wrote: > >> https://github.com/web-payments/browser-payments/ > >> > >> I think perhaps there needs to be some thought about security. > >> Maybe even a security considerations section. > > > > Good point, I added an issue to track this: > > > > https://github.com/web-payments/browser-payments/issues/9 > > > >> One thing that springs to mind is. If I have an email, but do not > >> implement /.well-known/browserid would it be possible for mozilla to > >> impersonate me and send a payment? > > > > The current design of Persona allows the centralized identity service > > that they currently run to impersonate anyone on any site that uses a > > Persona login. The underlying assumption with Persona today is that the > > web trusts Mozilla when it comes to identity. > > > > Even when Persona becomes more decentralized, the underlying system will > > still require you to trust your identity/email provider to make claims > > about the validity of your e-mail address. > > This is not entirely accurate. Persona (when bootstrapped by Mozilla) > requires you to trust the user's email provider, yes, but you have to do > this anyway. Let's say you let a user sign up through your site and Persona > is not involved. You must still trust their email provider to deliver the > link that they click on for verification. Persona does not introduce > anything less secure than this. > I get this point. And this may be true in many web services, such as twitter, but it's relatively rare that having access to someone's email account will give them access to their bank account. For example my landlord has the keys to my mailbox. So in theory could gain access to may bank account. I think it's a a simiar argument to say, because I'm already trusting my landlord, he should be given access to my bank account. I think most people would wish to separate concerns to an extent. > > When fully decentralized, what Persona adds is you can verify the > signature of someone's identity against a well known public key (that of > the email provider); this is slightly better than simply trusting that the > user will click on a link because they have an inbox password :) > A fully decentralized Persona is quite an assumption. There's only degrees of the centralized/decentralized balance. It's probably 99% centralized today. It's unclear that it will ever reach a 50% decentralized / centralized ratio (and would be quite a feat!) ... 100% seems hard to imagine at this point. > > Some big email providers (like Yahoo) are already implementing Persona and > more are on the way. When you get an identity assertion and you verify it > on your backend, you could do it yourself by fetching the public keys of > the issuer and checking the signature. Mozilla *hosts* a verification > service for convenience and to ease uptake but it's not mandatory. Thus, > you are not required to talk to a Mozilla server at all to use Persona. > That's great news! There are many things about Persona that I like, but it may need a bit more work before id be happy to use it for large payments. > > _ > > Anyway, identity is left out of the initial navigator.mozPay() spec > because we think it will be hard to convince other parties to use a single > identity provider (Google Checkout will probably want to use Google > Accounts, for example). We made mozPay() identity agnostic and hopefully it > can stay that way and still have a lot of functionality. Prescribing a > single identity solution in a future version would however make several > things easier, like customer product ownership. > > -Kumar > > > > > Ultimately, if you are going to have identity on the web, you have to > > trust the server running the software. :) > > > > -- manu > > > > -- > > Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) > > Founder/CEO - Digital Bazaar, Inc. > > blog: Meritora - Web payments commercial launch > > http://blog.meritora.com/launch/ > > > > >
Received on Thursday, 9 May 2013 21:56:12 UTC