[OpenID] [security] Re: generation fragments
SitG Admin
sysadmin at shadowsinthegarden.com
Fri Sep 5 20:12:10 UTC 2008
>Many (non-OpenID) sites now grant users access to an account on the
>merit of having nothing more than the same e-mail address. It seems
>to me that mailto:joe at example.com would be recycled just as often as
>http://example.com/~joe/ .
Yes, and it's the reverse point that I'm trying to make. As we move
into an era where your URI *is* your Identity (more so than E-mail is
now), we begin entering areas of danger that E-mail recycling hasn't
adequately prepared us for.
>Do you trust this non-public data to sites
>with email account recovery?
What, they'll resurrect my dead account for anyone with a valid E-mail address?
As a generic "you" that question works well (the average user does),
if you mean me specifically I'd disappoint you in great detail ;)
-Shade
More information about the general
mailing list