What really frustrates me about HTTP as a protocol is that it provides the beginning of a framework to do session management using the WWW-Authenticate headers, but it's ignored because the site can't provide a good UX. Instead we end up with phishing, terrible login forms and poor security when people reimplement session management in Cookies.
I've long wondered if we might have had better alternatives via WWW-Authenticate if major browsers had made it straightforward/possible to write auth plugins. (Actually it probably is possible, but AFAICT not without non-portable munging about in NPAPI.) If Mozilla actually do something to integrate Persona into their clients, will they do so in an open, repeatable way (with an API accessible to extensions) or will it just be more of the same oddball one-off coding that supported NTLM?
