*This page is about Authentication __not__ security.*
Here are early some explorations on how to provide better login experience for wiki farms, and for users developing mobile apps. The aim is to provide backward compatibility with Persona, while moving over to a better security model.
Fedwiki currently has a pull-only, one domain-one author philosophy which cuts down on spam. We use Mozilla Persona to authenticate users.
Issues
Here are a few of the issues with the current login and security model:
- Persona has a habit of logging you out
- Logging in wipes the Lineout
- Persona sign in dialogues are ugly
- Relying on Persona is brittle
- You can't share authorship or give other people temporary access
Suggestions
This is work in progress, but a suggestion here is to use Capability URLs, and also separate authoring from viewing interfaces somewhat.
Given you know the url you have access to the ability to write to that domain. If you are concerned that other people may have a copy of the url, or you just want to renew / refresh your "password" - you can revoke the old url, and get issued with a new one.
These url's are impossible to guess, and are not crawled. It should be possible to set up a domain that generates and manages these Capability URL's and enables Fedwiki users to use them to gain the ability to author their sites in a way that does not have the problems abaove.
A Persona Hack?
Using Persona tools such as:
- Persona IDP - developer.mozilla.org/
- Persona browserid-certifier (node.js) - github
it should be possible to set up a web site which will automatically generate an updated Persona certificate for your sites - without the need for anything other than the knowledge of the URL.
Visiting this URL would then automatically renew your persona certificate - and redirect you to your site. You would bookmark this url on your local machine in order to be able to visit it later. You could share it with other people you want to have access to your site.
A second Persona based url - would enable access to revoking, or changing the durations of the certificates that were issued via the url. This service could be developed in a way which is compatible with modern decentralised blockchain and IPFS technologies - allowing users to choose this way to renew there certificates, or the web service.
Using the existing Persona Login would still be available.
Below we list some links that are related to this line of enquiry:
Cap’n Proto is an insanely fast data interchange format and capability-based RPC system. Think JSON, except binary. Or think Protocol Buffers, except faster - capnproto.org