search

privly / privly-organization

The Repository for Privly Issues not belonging to any particular repository. Documentation, Privly.org, and other issues should attach to this repository.
18 stars 9 forks source link

PGP: Mozilla Persona to go offline #41

Open mkash32 opened 8 years ago

mkash32 commented 8 years ago

In the PGP wiki page, it says Mozilla Persona will be used for identification. I took a look at their webpage and it is mentioned that persona services will be shut down from November 2016. Are there any open source alternatives to Mozilla Persona available? (LastPass and Okta provide similar services but they aren't open source)

smcgregor commented 8 years ago

Hi @mkash32, good question. I updated the wiki to read:

The PGP application can be considered to have two parts. First, we have the application that performs encryption and decryption for keys. Here we use PGP (Pretty Good Privacy) with OpenPGP.js. Second, we have the system that determines which keys we trust. Here we previously used a hack on top of Mozilla Persona's authentication system, but since Mozilla is shutting down the project we need a different solution.

There are many potential solutions that offer various security and UX properties. We previously selected Persona because it is a system that is most directly tied to email identities while also not requiring any manual management of keys. Users are terrible at managing keys. Unfortunately, Mozilla never got the Persona project to a finished project and never put any money behind marketing it. So they killed it.

Insofar as a replacement for Persona is concerned, you are welcome to propose any replacement you see fit. We can discuss the relative merits at that time. Generally going with a closed source project won't work because they generally require some trust in the identity service. We don't want to introduce another trusted parted to the system.

mkash32 commented 8 years ago

Actually I wasn't able to understand how Persona fits into the PGP implementation. I read the documentation for persona but I wasn't able to make any connection. Could you give a hint as to how those two would be connected?

mkash32 commented 8 years ago

Never mind, I found the information at https://github.com/privly/privly-applications/blob/experimental-pgp/pgp/protocol.md to be helpful in understanding the role of persona.

smcgregor commented 8 years ago

Yeah, I should note we figured out how to use Mozilla's identity infrastructure for signing PGP keys, but this is not the use-case Persona was built for. It turns out that identifying users for websites is very similar to identifying a user for PGP keys. It was a hack and we got burned by piggy backing on a solution we didn't control when they announced its EOL. We could potentially use Persona's software without Mozilla's support, but that would entail trusting the Privly Foundation to operate email verification and identity infrastructure -- which is something we want to avoid.