DrupalCon Prague 2013

Mozilla Persona, descentralizando las APIs de identidad

Jonathan Brown, Dan Callahan  · 


Extracto de la transcripción automática del vídeo realizada por YouTube.

okay thank you everybody for for coming I don't know how many of you were at drupalcon Denver but one of the the keynotes from rubicon Denver was Mitchell Baker so she's the chairperson of the Mozilla Foundation and one of the things she spoke about

it was a new sign in technology called persona one of the main advantages of this is that when you sign in with persona the website you're signing into you never gets to see your password so there's a lot of advantages to that so I wanted to use this

myself so I am a drupal developer so I wanted to see what what Drupal modules there were so I find one module first of all called browser ID which is the old name for persona and it also implemented the the older protocol and then I found another module called

persona that used the new name it it used the the new protocol so that was great but I had a look at the module and I basically wanted to rearrange a lot of things so I started submitting patches and i think that the maintainer got so fed up with me submitting

so many patches that he he gave me commit access to the module and then I I just ran with that and made a huge number of changes and it's I think the module is now very very stable so I joined the mailing list for Mozilla identity and told him about the

module got talking to them and Dan he is the the project lead for the persona project he he he sent me the the t-shirt for for persona um and then I I suggested that he should come too drupalcon and an tell us all about Mozilla persona so if we can all give

a very warm drupal welcome to dan callahan thank you it was great I get this email from from Johnny saying oh I've got this talk submission for drupalcon should totally come by sure he's like well you'll give the first half of the talk and oh so

here I am it's that's clearly the way to do it get a talk accepted then get somebody else to uh to do it pro tip right there so I'm here to talk about how we as a community we the Drupal community are going to kill the password on the internet

and the way we're going to do that I hope is with Mozilla persona persona is a login system it replaces emails and password forms it replaces social off on your own website and it works on the basis of verifying email addresses let me show you what it

looks like so I've recorded a screencast of me logging into a few websites using persona I'm going to start with ray gun I 0 which is an error production application error tracking app I'm given an option of logging in with an email and password

or a number of different protocols or other methods I'm going to click on persona and when I click there by browser prompts me to enter an email address i can enter any email address i want and in this case I'm going to use my work address d callahan

at mozilla com and when I click Next you'll see very briefly the dialog says checking with your email provider so it's going looking at mozilla com and it finds that mozilla com understands the persona protocol because we eat our own dog food and I

get forwarded on to a login page specifically for me to login to my my corporate account it's hosted by Mozilla I type in my normal ldap password just as if i was logging into webmail at work i hit sign in my email address has been verified and i'm

logged into ray gun now that i've logged into the site once now that I browser knows who I am when I go to other websites and click Sign In if they use persona notice that my email address is already prefilled my browser now knows who I am so it only takes

me two clicks to log into additional websites one to open the email picker and two to confirm that I we want to sign into that website after I've used persona once I'm never more than two clicks away from logging into another website even if I've

never visited that site before of course we understand that people have different identities online me at work is not the same as me at home and so if I want to use my gmail address to log into my open badges backpack I can simply click the add another address

button type in dan callahan at gmail com and when I click Add just like by Mozilla dress sent me to Mozilla to authenticate a gmail address sends me to google to authenticate one an additional click and I'm signed in so I've signed into three sites

with a total of seven clicks it's very very simple very very easy very low friction and none of these sites are receiving a password none of these sites receive any sort of secret that they have to worry about storing and securing so now when I go to another

website ting which is a mobile phone service provider and view us ah the question is was gmail running a special service sorry pause the screencast when it's mid load to support persona I'll answer that in just a minute but now I browsers seen two

identities of me of mine my gmail address of my work address and so I'm given this picker where I can very simply choose I could add a third address I wanted to or fourth if I can choose one click Sign In even if I've never previously used that site

so that's the way persona works it's very very simple very very easy to use of course I demoed that in Firefox Mozilla understands that the web is bigger than any one browser it's bigger than any one email provider and it's bigger than any

one social network so persona today works with any email address on any major browser everything from Mobile Safari or Chrome on iOS out to pretty much any browser on android Internet Explorer 8 and up work great with persona and what you effectively get is

a button that lets you sign users into your site with their email address but without you having to worry about storing receiving touching passwords at all because when you put persona behind that button persona intelligently routes your users to an appropriate

login endpoint for Mozilla users for Mozilla employees we go login against our corporate ldap server for Gmail users their login against Google Yahoo against Yahoo and it only gets better so you implement persona once and you already have a strict superset

of all of these social providers and any domain at any time can advertise support for persona and immediately start receiving users and having people directed to it of course if you use an address say your own corporate address that doesn't support persona

persona is configured to fall back to a normal email challenge so we send you a link you click on it you've proven your address done so the same sort of thing that you would have to implement yourself if you wanted to support an email address persona does

by default but for domains that support it users have an enhanced smoother flow that works with their existing authentication endpoints of course like everything mozilla does personas open source and like the web itself it's decentralized we're not

trying to get between you and your users we're trying to define a protocol that the browser itself can use to figure out how and where to authenticate you so today persona exists as web service today persona is a reference implementation of a protocol

but our ambitions are much more audacious we want persona to become the next standard for authentication on the web we want persona to be baked into browsers and we're going to start leading in that direction early next year when we start building persona

into Firefox directly Firefox why why does a browser vendor why does Mozilla care about passwords why are we trying to to address login so though Mozilla is best known for building Firefox we're a non-profit we're a global community just like the Drupal

community representing tens of thousands of volunteer contributors all over the world we exist to make sure that the web remains an open and accessible and interoperable place that's built on standards not solely controlled by advertising firms the Mozilla

Foundation the nonprofit that Shepherds the direction of the Mozilla projects codifies it's it's worked in the Mozilla manifesto a ten-point manifesto of the open lab this was developed at the height of the browser wars when the internet explorer Netscape

divide threatened to split the internet into mutually incompatible realms but some of these points number two that the Internet is a global public resource that must remain open and accessible apply much more broadly than just two browsers number for individual

security on the internet is fundamental and cannot be taken for granted or cannot be treated as optional number five individuals must have the ability to shape their own experiences on the internet each one of these points each one of these bullets in our

manifesto apply equally to the browser Wars as they do to identity each one of these is facing a grave threat social authentic and authentication threatens to split the internet and close it off completely eliminate the ability for certain classes of people

to access entire classes of websites if you live in a country that blocks facebook you cannot login to a site that uses Facebook Connect furthermore social off Rob's users of the ability to choose who they trust who they are and how they represent themselves

on the internet and passwords security it is extremely difficult extremely difficult to do security correctly is there a question in the back so what about country is blocking Mozilla part of that comes in to the idea of persona being decentralized so there

is no necessary point that flows through Mozilla I'll discuss the protocol at the end of the talk so yeah if you have further questions please feel free raise your hand or bring those up whenever so let's look at where we come authentication is hard

[ ... ]

Nota: se han omitido las otras 4.842 palabras de la transcripción completa para cumplir con las normas de «uso razonable» de YouTube.