-
But for today, the dedicated security and ops people that Persona has beats a single me, needing to sleep, and not being available 24/7.
Mozilla is no longer developing Persona, has moved staff away from the project and while it is still providing minimal support, this is for the existing hosted service (downtime, critical bugs and the like). Mozilla has promised not do decommission Persona this year.
I know people who work for Mozilla. Persona is a dead duck. Now is a good time to be planning alternatives for the near future.
itsbruce-
This I know.
Yet their "minimal support" still beats what Microcosm has today. We are 2 and, whilst Persona may not have achieved the original goals Mozilla have, they are providing support (and have been very fast to react whenever we've needed them to) and are actually still improving the product.
Yes we need a long-term plan. Yes we're likely to have to build our own.
But the very basic fact remains: If we spent months building an identity provider, Microcosm would already be dead as a company and product. It would have been the wrong decision by a country mile.
If our resources remain tight, then our future path may be a self-hosted instance of Persona, with the email bridges disabled (for our use-case that would suit us better anyway). But if we have the resources we would build our own identity provider... it would look very much like Persona, but we'd obviously be better placed to maintain it and to integrate it more deeply and invisibly.
Velocio
motter
He's not bad as far as it goes, not in the league of a cperceiva but at least he's some hands-on experience. On HN he changed his tune after the Beta and final version were released. The comments in that blog post are based on the initial Alpha and many things changed.
His criticisms are easily defeated and no longer relevant, namely the two he mentions:
Not sure whether you know, but I have actually built several web account and SSO systems. The first back in 1998 for British Telecom (for their web portal), the next in 2000 for 300+ football websites, the web account for Premium TV, the third was a SSO extension for SharePoint, the fourth was the basis for trust based security in SharePoint, the fifth was a web account for Yell Group customers and sales people.
I've built auth systems based on LDAP, ActiveDirectory, RDBMS sessions, multi-devices, multi-access tokens, trust based relationships between domain forests, SSO to legacy systems and SAP. Basically, it's one of my speciality areas. Tens of millions of people have used my web account and SSO systems.
Somewhere in that experience I get really hesitant to build yet another sign-in method. But I do have a really really deep understanding of the requirements of one, and of what we needed for LFGSS to make it so that the API could work and we can build native client apps in future.
When I sat down to start this, I knew exactly what we would need to build, and what I saw was that Mozilla were building precisely the same thing.
If we didn't use Persona, I would build Persona.
It may have some nuanced differences. I wouldn't have done the email bridge (auto-signin with Gmail accounts) for example. But in the implementation and flow, almost everything else would be really similar.
If we ever stop using Persona, we will build something that looks very much like Persona.
But for today, the dedicated security and ops people that Persona has beats a single me, needing to sleep, and not being available 24/7.
Persona is 95% of what we need, and has saved us months of work by not requiring that we build it.