As I understand it, you're identified to the site by an email address. So if GMail becomes an ID provider, you keep using the same identity, but with Google confirming it rather than Mozilla. I'm by no means an expert, though.

Exactly -- your provider's domain is always checked first. Mozilla only steps in as a fallback, and accounts can/will be transparently "upgraded" when a domain adds native support.

I am also by no means an expert but that is also my understanding.

What would change tho is the login procedure. Where once the user saw a Persona login box, suddenly they will see a Gmail login box. That has the potential to be really confusing unless handled well, no?

Okay, so there's no token being passed? If someone manages to spoof the system, they could be anyone and just accept my access request?

I haven't thought it all through, but it feels like there's a weakness there that's just waiting to be exploited.

I think there is a token being passed, but it's authentication, not identity. It's a signed declaration that you own that identity, and it must be either from the domain that issued it, or another source that the site you're visiting specifically trusts (i.e. Mozilla, at present).

I trust Mozilla to have done a good job of this. If there's a weakness, it's not going to be anything so obvious that you can see it from my stumbling attempts to describe the protocol. If it sounds like there is, I'm probably describing it wrong. Have a look at the details here: http://lloyd.io/how-browserid-works

Thanks. That link explained it, and at least took care of my current worries.

There is a token that's passed. The web site gets an email address and a string called "an assertion" that they must verify.

If Gmail suddenly started verifying instead of Persona for @gmail.com addresses, the web site would see the email address as exactly the same so should give access to the same account.

They would then start verifying that "assertion" using Gmail and not Persona. It would be verified and hence secure.