[OpenID] [security] Re: generation fragments
Kevin Turner
kevin at janrain.com
Fri Sep 5 19:51:50 UTC 2008
On Thu, Sep 4, 2008 at 5:50 PM, SitG Admin
<sysadmin at shadowsinthegarden.com> wrote:
> Donning my Relying Party hat for a moment (and pretending that I'm
> already prepared to accept arbitrary users), this is very worrisome
> for letting users input anything that wouldn't be public anyway, and
> then grant them later access to this same data on the merit of
> nothing more than having the same URI (and since that's practically
> the basis of OpenID, this is a very bad thing to be worried about).
Many (non-OpenID) sites now grant users access to an account on the
merit of having nothing more than the same e-mail address. It seems
to me that mailto:joe at example.com would be recycled just as often as
http://example.com/~joe/ . Do you trust this non-public data to sites
with email account recovery?
More information about the general
mailing list