What is Nostr?
Melvin Carvalho [ARCHIVE] /
npub1uvt…axrt
2023-06-07 15:05:45
in reply to nevent1q…2wr0

Melvin Carvalho [ARCHIVE] on Nostr: 📅 Original date posted:2013-08-09 📝 Original message:On 9 August 2013 14:08, ...

📅 Original date posted:2013-08-09
📝 Original message:On 9 August 2013 14:08, Mike Hearn <mike at plan99.net> wrote:

> Bitcoin sought to reduce dependence on trusted third parties, where as,
>> persona is increasing the reach of trusted third parties. The keys and
>> passwords are stored on mozilla's servers, sometimes on your email
>> providers. Persona, is however, a progression and will hopefully improve
>> its security and decentralization as it goes along.
>>
>
> When Persona is supported by all the key players in a transaction Mozilla
> doesn't get anything, do they? You can easily run your own IDP on a
> personal server if you're the kind of person who likes to do that, then run
> Firefox so you have a native implementation and the Mozilla servers aren't
> involved. The keys never leave your computers.
>

You'd need to run your own email server and/or change email address, which
is not in the reach of the average user, and maybe not even of some
businesses.


>
> Whilst X.509 certs can indeed be issued for any arbitrary string, you
> still need a CA that will do it for you, and that's typically not so
> trivial. CAs aren't meant for widespread end user adoption, really, whereas
> Persona is.
>

You can self sign X.509 certificates quite easily (e.g. one click via
<KEYGEN>), then rely on a decentralized web of trust to remove browser
warnings. A few people are working on this.


>
> I don't think Persona is any more or less centralised than other PKIs,
> really, just easier to use. Ultimately the string you're verifying is a
> user at host pair, so the host is centralised via DNS and to verify the
> assertions it vends, you must use SSL to connect to it, so under the hood
> the regular SSL PKI is still there.
>
>
>
It is easier to use, that's a great plus. But convenience is often a trade
off with security.

I dont user user at host, I use my home page because it's easy to dereference
and get a public key. Email is hard to dereference.

Yes, there is a reliance on DNS, which Tim calls the 'Achilles heel' of the
web, but it's held up quite well so far (fortunately for us).

Mozilla also have a master key to most email accounts, so if anyone got
access to that they could impersonate the vast majority of users that have
not opted in. I would not use persona for financial stuff, but if I made a
casual app with non sensitive information it would be one of the top
choices, imho
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20130809/45364f00/attachment.html>;
Author Public Key
npub1uvtfvcegcn9kds68r8he57emc480vqtx8t22kpsctxgjxae44gvsksaxrt