If I understand correctly, the browser stores a certificate that proves you own your email address. These certificates are only valid for a certain amount of time, even if you check that you own this computer. So what happens when your cert expires? Do you have to go back to your email and re-click the link that gives you a new cert to be stored in your browser?
Also, if I'm using a public computer, is there a way for me to manually revoke a cert when I'm done using the machine? It seems that even a 1hr expiry is too long for this case.
This is the part that gets kind of confusing because there isn't a clear delineation between Persona the UI and Persona the fallback identity provider (IdP).
When your cert expires, you need to get a new one from your IdP. If you already have an active session with your IdP (either by logging into your webmail, or clicking the "this is my computer" button for Mozilla's fallback), then your browser can get a new cert completely invisibly.
If your session and your cert have expired, then you get prompted to authenticate again. For the Persona fallback, this means you'll be prompted for your Persona password (instead of sending you back to your email, because that's super annoying and users end up not logging into your site). If your email provider has native support for Persona, then you'll get prompted by them however they normally do login.
> I'm using a public computer, is there a way for me to manually revoke a cert when I'm done using the machine?
Go to login.persona.org and click "sign out." We're working on universal signout (at least for users of the fallback), but I'm not sure if that's landed in production yet.
I get the impression that verifying your email address only needs to be done once when you first sign up with Persona and create a password. When you use Persona to log in to a site for the first time in that browser, it prompts you for your Persona password and issues a certificate on success. If that certificate expires, I presume you would have to use your password again with Persona to get a new certificate.
I haven't found anything about manually revoking a cert, but I haven't looked either.
In the case of the Javascript shim, the certificates are stored in the browser's local storage. In Firefox (and I believe in most other browsers), this gets deleted when you clear cookies.
So you can do that before you leave that public computer, or you can use private browsing / incognito mode so that cookies and local storage stay in RAM and disappear when you exit.
Also, if I'm using a public computer, is there a way for me to manually revoke a cert when I'm done using the machine? It seems that even a 1hr expiry is too long for this case.