There is a token that's passed. The web site gets an email address and a string called "an assertion" that they must verify.
If Gmail suddenly started verifying instead of Persona for @gmail.com addresses, the web site would see the email address as exactly the same so should give access to the same account.
They would then start verifying that "assertion" using Gmail and not Persona. It would be verified and hence secure.
If Gmail suddenly started verifying instead of Persona for @gmail.com addresses, the web site would see the email address as exactly the same so should give access to the same account.
They would then start verifying that "assertion" using Gmail and not Persona. It would be verified and hence secure.