[pre scriptum] This email particularly concerns the people on the Tor Browser team, and to those interested in progress on Roger's "A Call To Arms: Helping Internet services accept anonymous users" blog post. [0]

Hello all,

While setting up a Mozilla Persona Identity Provider (IdP) server for testing ways to provide a system for anonymous users to log in to websites, I discovered some serious problems [1] which, in my opinion, make Persona unusable for our case.

One of these problems [2] essentially boils down to forcing us to choose between two options for real-world deployment, due to a lack of forward compatibility in the existing Mozilla Persona deployment:

1. We could deploy a version which is compatible with the legacy Persona implementation but which has privacy issues.

We would need to accept that the so-called "anonymous" users of the Tor Project IdP would be sent from the website they are trying to log into (Wikipedia, for example) to https://login.persona.org, and that the latter would speak to the Tor Project IdP.

There is not even remotely a chance for even pseudonymity, if we went this route, as the https://login.persona.org server could:

* Log which websites a Tor user tries to log into, * Log when a Tor user tried to log into or out of any website, * Potentially link a user's pseudonyms (yes, even if we handed out blinded signatures in our credentials), * Arbitrarily decide to block all Tor users without the consent of either Wikipedia or the Tor Project IdP, * and probably a bunch of other horrible stuff.

2. We could make a version based on the so-called "native" Persona implementation within Firefox. This would result in fewer privacy issues, however it would be incompatible with all the rest of existing Persona infrastructure.

Mozilla's "native" Persona implementation is already incompatible with the legacy version currently deployed on all Persona-enabled websites and IdPs today.

If we decide to go this route, and create a version of Persona which does not redirect our users through third-party IdPs, we would need to try to force every website that wants to allow anonymous users to login to source custom Javascript that we make available, [3] which is specific to allowing logins from our IdP. In addition, sites which include this Javascript would no longer be compatible with the regular (non-Tor Browser) Firefox userbase and any existing Persona infrastructure (both Persona-enabled websites and other Persona IdPs). For a more verbose explanation, please see [4].

I think we can all agree that Option #1 is unacceptable.

If we were to do Option #2, we would essentially be taking over maintenance of Persona from Mozilla *and* creating an entirely new, incompatible authentication system on top of the dilapidated remains. Before going that route we should pay attention to the fact that Mozilla pulled support for the project because of lack of adoption. If our goal was to save work by using Persona for this purpose, I estimate that we would be doing more work by using Persona than if we were to build something completely from scratch.

[0]: https://blog.torproject.org/blog/call-arms-helping-internet-services-accept-... [1]: https://trac.torproject.org/projects/tor/ticket/12193 [2]: https://trac.torproject.org/projects/tor/ticket/12193#comment:12 [3]: https://github.com/isislovecruft/browserid-certifier/blob/master/srv/login.p... [4]: https://trac.torproject.org/projects/tor/ticket/12193#comment:13