(no title)

a) certificates are stored in localStorage for https://login.persona.org. They are very short-lived (hours), so that we don't have to deal with revocation, since that would likely be impossible on a per-user scale.

b) there's no way you can prevent an identity provider from misusing your identity. They're your identity provider. You chose them because you trust them to credential you and not let other folks impersonate you.

b') browser extensions already have full control over your life. That's something that should be addressed longer term, but Persona is not making this any worse.

b'') other entities cannot access the localStorage for login.persona.org, so that should be okay.

c) you're not just entering an email address. You're also proving you own it, for example by being logged into your Yahoo.com account, or by clicking the confirmation link we send you. What we're doing is minimizing the number of steps you have to take to prove you own an email address. But you still have to own it.

You should check out our documentation, which is quite thorough:

  https://developer.mozilla.org/en-US/docs/persona