The future of new identity

The current implementation of new identity seems fairly flakey since we have to adapt to new web features from upstream and hack around to trigger the corresponding firefox controls. Moreover, it has to manage several distinct systems to achieve its goals, opening up a wide range of potential holes.

As such, I would actually personally recommend a user use a full browser restart if they want to de-link their sessions. The main dis-advantage is that the tor process needs to re-bootstrap.

So the question for the future of this feature are:

1. What is the goal of this feature? What should happen and what do we want to guarantee? What does a user expect?
2. Do we want to harden this feature by collaborating with upstream? In particular, by extending their reset PBM function (burn toolbar icon). And in our own patch modifying it to include things relevant to the tor network?
3. Do we want to drop this entirely? For ease of maintenance.
4. Do we just want to make this restart the browser entirely? Possibly handing a still-alive tor process between instances to avoid a bootstrap. This gives stronger assurances and may be easier than trying to maintain what we currently have.
5. Do we want to require a re-start and bootstrap of the tor process as well? At the moment we rely on clearing our domain circuit data and sending NEWNYM. Are we sure this is sufficient for the guarantee we want?

Depending on what we decide, we can split out other issues. But lets have the broad discussion here.

/cc @donuts @morgan @pierov @ma1