IMO, the main mistake was that it used a centralized authentication system to "bootstrap" the protocol - basically a fallback auth source back when nobody supported the protocol. In theory, after the protocol was adopted widely, they could shut down the Mozilla Persona servers. In practice, it ended up being perceived as "Mozilla Login" and the branding (dropping BrowserID) didn't help.
It didn't have to be this way, although I understand the reasons for it. The fallback auth system could have simply been a piece of software infrastructure that you (the site operator) were expected to run locally. It would have had two downsides: 1) it's a fairly complex piece of software that sends email and interacts with the website, so it would have been hard to make portable, and 2) it would mean doing the email auth dance separately on each site (like we do already).
The main advantage, though, would have been that it wouldn't depend on Mozilla running servers. The project could live on.
Honestly, if I had free time, this is one of the things I would be working on. The protocols are already written up, it just needs software.
