Author: Melvin Carvalho 2013-08-09 11:57:49
Published on: 2013-08-09T11:57:49+00:00
In an email thread on August 9th, 2013, Mike Hearn discussed Mozilla Persona as a potential infrastructure for web-based single sign-on. Persona is an SSO system that works by having email providers sign temporary certificates for their users, whose browsers then sign server-provided challenges to prove their email address. The goal of the system is to become transparently decentralized over time; however, in its current state, it relies on trusted third parties and centralized servers to store keys and passwords. Hearn suggests that using Persona to sign payments could be beneficial due to its convenience compared to certificate authorities (CAs). While CAs are designed for website administrators, Persona is designed for users and offers a smart and professional user experience. Although Persona currently doesn't use X.509, it's based on JSON and uses RSA keys to sign assertions. Implementing Persona for signing payments would likely be easy, with the user's wallet app embedding a browser and stopping after the user is signed into Persona and a user cert has been provisioned. While Persona may increase the reach of trusted third parties, it's still a progression and may improve in terms of security and decentralization over time. In contrast, Bitcoin sought to reduce dependence on trusted third parties. A (client or server-side) X.509 cert can be issued to any address, including a bitcoin address, allowing the private key to sit on the client and the public key to be discoverable by the other end. However, most enterprises, including Mozilla, take the stance that key management on the client is beyond the average user. For those interested in signing stuff with RSA (or other) keys, the web payments and payswarm communities have done a lot of work on this, including implementations that may be reusable.
Updated on: 2023-06-07T15:33:24.916894+00:00