Aug. 1, 2016
5:42 a.m.
Guido van Rossum writes:
I'm curious why MM3 doesn't let you log in with email and password directly? What benefit did Mozilla's service have? Was it just that Mozilla handled password security?
That's the basic rationale. Mailman core's security is still dependent on host security and not exposing control protocols to the network, so the more aspects of user authentication and authorization we can delegate to a service created and maintained by security experts the better. This also allows us to avoid maintaining such critical services in multiple places (Postorius and HyperKitty for now). Use of Persona seemed to allow us to depend on such expertise for both single-sign-on (via Google or whatever) and password authentication. Steve