There’s a great summary on the Mozilla wiki about what did and didn’t work about Persona, Mozilla’s attempt at a new identity protocol for the web. (Given the existence of that page, I’m not sure the project continues to be actively pursued? Techcrunch reports that Persona is dead.)

Having been in the middle of the last major attempt to solve the identity problem on the web aka OpenID — well, as long as it looked like it was actually going somewhere — I was always puzzled why Mozilla thought they would be able to produce a better outcome. Chances are that the identity team at Mozilla simply did not know about the OpenID experience; this is certainly the impression I got every time I talked to somebody on their team. Some of the predictions they made were extremely unlikely, and there seemed to be a great lack of understanding for how possible adopters (e.g. a website with a login button) would evaluate their business case.

Among the many good points, for me the most salient point on that page is this:

We looked at Facebook Connect as our main competitor, but we can’t offer the same incentives (access to user data).

Duh. In fact, the way Persona positioned itself, it explicitly promised that it was going to be more privacy-protecting than anything else, aka “we won’t give access to user data.” (I predicted exactly that outcome last year.)

If the business model of your customer is spying on their users, why would you expect them to adopt a technology that makes that harder?

So. I learned this about decentralized identity on the web:

• Identity is not a product in itself. You can construct the world’s best system, identity itself is a feature, not a product. Exhibit A: Facebook Connect. The product is “find out as much as you can about your user and their friends so you can most effectively insert your product into their life, whether they like it or not”.
• The web today is not decentralized. A decentralized identity protocol is mis-matched with its environment and so cannot be adopted as such. Exhibit B: the way decentralized OpenID morphed into Google identity. Arguably there is nothing decentralized about OpenID use today. (The protocol may be decentralized; actual deployment and use is not.)
• If anybody wanted to construct (or resurrect) a decentralized web identity protocol, they would have to tie this into some other product whose architecture and use is entirely decentralized. A decentralized social networking application, for example (but those, like Diaspora, have their own major problems.) Or, my current favorite, Bitcoin (which of course would not work at all if it didn’t have a decentralized identity foundation already.)

It’s sad to see all that energy wasted, with an entirely predictable outcome. But one of these days somebody is going to tie enough pieces together to make a decentralized web viable again, and decentralized identity will be a critical part of that. I can’t wait, and I hope some of this will run on Indie Box.