public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Melvin Carvalho <melvincarvalho@gmail.com>
To: Mike Hearn <mike@plan99.net>
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Idea for new payment protocol PKI
Date: Fri, 9 Aug 2013 14:17:10 +0200	[thread overview]
Message-ID: <CAKaEYhJSf7vt8WzBBY=qZhTNhdWeWu5kjyhcyidVfFUV1vxp-g@mail.gmail.com> (raw)
In-Reply-To: <CANEZrP3fWbGAO3MSvAzicjPmPzUGVfSgxk_MnZNUhHzE7_9drg@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 2365 bytes --]

On 9 August 2013 14:08, Mike Hearn <mike@plan99.net> wrote:

> Bitcoin sought to reduce dependence on trusted third parties, where as,
>> persona is increasing the reach of trusted third parties.  The keys and
>> passwords are stored on mozilla's servers, sometimes on your email
>> providers.  Persona, is however, a progression and will hopefully improve
>> its security and decentralization as it goes along.
>>
>
> When Persona is supported by all the key players in a transaction Mozilla
> doesn't get anything, do they? You can easily run your own IDP on a
> personal server if you're the kind of person who likes to do that, then run
> Firefox so you have a native implementation and the Mozilla servers aren't
> involved. The keys never leave your computers.
>

You'd need to run your own email server and/or change email address, which
is not in the reach of the average user, and maybe not even of some
businesses.


>
> Whilst X.509 certs can indeed be issued for any arbitrary string, you
> still need a CA that will do it for you, and that's typically not so
> trivial. CAs aren't meant for widespread end user adoption, really, whereas
> Persona is.
>

You can self sign X.509 certificates quite easily (e.g. one click via
<KEYGEN>), then rely on a decentralized web of trust to remove browser
warnings.  A few people are working on this.


>
> I don't think Persona is any more or less centralised than other PKIs,
> really, just easier to use. Ultimately the string you're verifying is a
> user@host pair, so the host is centralised via DNS and to verify the
> assertions it vends, you must use SSL to connect to it, so under the hood
> the regular SSL PKI is still there.
>
>
>
It is easier to use, that's a great plus.  But convenience is often a trade
off with security.

I dont user user@host, I use my home page because it's easy to dereference
and get a public key.  Email is hard to dereference.

Yes, there is a reliance on DNS, which Tim calls the 'Achilles heel' of the
web, but it's held up quite well so far (fortunately for us).

Mozilla also have a master key to most email accounts, so if anyone got
access to that they could impersonate the vast majority of users that have
not opted in.  I would not use persona for financial stuff, but if I made a
casual app with non sensitive information it would be one of the top
choices, imho

[-- Attachment #2: Type: text/html, Size: 3710 bytes --]

  reply	other threads:[~2013-08-09 12:17 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-08-09 11:43 [Bitcoin-development] Idea for new payment protocol PKI Mike Hearn
2013-08-09 11:57 ` Melvin Carvalho
2013-08-09 12:08   ` Mike Hearn
2013-08-09 12:17     ` Melvin Carvalho [this message]
2013-08-09 11:59 ` Wendell
2013-08-09 12:18   ` Melvin Carvalho

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAKaEYhJSf7vt8WzBBY=qZhTNhdWeWu5kjyhcyidVfFUV1vxp-g@mail.gmail.com' \
    --to=melvincarvalho@gmail.com \
    --cc=bitcoin-development@lists.sourceforge.net \
    --cc=mike@plan99.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox