I wonder how feasible it would be to shim OpenID and OAuth on top of this? Many major email providers offer OpenID or OAuth to verify email ownership. If the browser fell back to using one of those, it wouldn't need to use the alternate user/pass system in Persona.
The Persona team is actively working on this, actually. When a domain can't certify its own users, we fall back to having login.persona.org act as a third-party verifier. Of course, login.persona.org needs proof that you are who you say you are, so on first contact we create a password and do a standard email confirmation. Semantically, we'd get the same assurance, and better UX, by bridging to OpenID (Yahoo, Google) and OAuth (Hotmail). So we're doing that. :) This is a major Q4 goal for us, and we're mostly code-complete, modulo things that turn up in QA.
if I understand you correctly, That rather defeats the privacy defending part of persona. At the moment any site who wants to verify me through openid has to request back to gmail. So google knows every time I log into a openid site, which site it is, and can also refuse to verify me if they choose (not in enough circles, arrived at site with a bing.com referrer header etc etc)
no, I like this design, and I am guessing the reason only time crossword signed up is that google and yahoo like knowing which sites I have visited. Making me even more happy to move away
