W3C home > Mailing lists > Public > www-tag@w3.org > June 2013

Re: Yahoo to reuse email addresses - re: Identifier persistence

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Fri, 28 Jun 2013 08:59:58 +0200
Message-ID: <CAKaEYhKen=yGLTTCv96J14qtRZri0F=rk4y4axuX8qc5BEmSrg@mail.gmail.com>
To: John Kemp <john@jkemp.net>
Cc: Tim Berners-Lee <timbl@w3.org>, TAG List <www-tag@w3.org>
On 21 June 2013 01:56, John Kemp <john@jkemp.net> wrote:

> Email addresses in such a scenario have two quite-different uses:
>
> i) As an identifier disambiguating one user from any other within the
> email (ie. security) domain
> ii) As an address for mail delivery
>
> Since Yahoo can physically reassign an address to a different mailbox
> within their domain, there's not really any problem for Yahoo. Dormant
> users have indicated that they have "moved out" of their mailbox, by their
> inactivity. Yahoo can ensure both that the old mailbox is inaccessible, and
> they can ensure the old account password is changed, protecting data
> associated with the dormant user at Yahoo.
>
> However, when that email address is used as an identifier for an
> individual outside the Yahoo systems (say joe@yahoo.com uses that email
> address to get a Facebook account), there is a potential problem for those
> companies who have accepted a Yahoo email address as an identifier for a
> particular user, and have originally authenticated that user by sending
> email to an address associated with one particular Yahoo mailbox. If the
> mailbox is reassigned, they are now sending emails to a different person,
> or have authenticated someone different than the person trying to now login
> with that address as their identifier.
>
> That seems like a problem for those companies accepting email addresses as
> identifiers, and who are authenticating the initial interaction by sending
> email to a given mailbox. It also seems like a potential problem for the
> dormant Yahoo user, if someone can guess their (for example) Facebook
> password associated with the old Yahoo email address identifier.
>

This is a great point.  Without wishing to go off at too much of a tangent,
I think email style identifiers tend to be overloaded in THREE ways:

i) as the primary key to an identity system
ii) as an address for mail delivery
iii) a memorable identifier

This overloading has some possible consequences.  Firstly, anyone wishing
to partake in such an identity system, needs to be able to run an email
system, or delegate that out to a third party.  This is a relatively high
overhead, meaning that large email providers are positive differentiated at
the expense of the long tail.  Architecturally, this exacerbates
centralization of the web, which can lead to single points of failure, or
perhaps in some cases a loss of privacy.

Additionally, systems tend to be architected in such as way as there is a
one-to-one correspondence between your email address and your identity.
This means that it's problematic to change your email address, say, if you
get married.  You have to start your identity all over again.  One
exception to this rule is facebook, which uses graph.facebook.com ie a HTTP
URI as its primary key, and, email as your foreign key.  This means you can
change your email, name, or other data, while leaving your main profile
record intact.  Indeed, you could add more than one email, in theory.

>From an architecture point of view, I find the growth of email as an
identity system on the web, slightly troubling.  Consider HTTP (bis), the
"From" field allows an email address, and NOT, an HTTP identifier.  HTTP
identifiers (e.g. for robots) are often stuffed into the User-Agent field
delimited by a semi colon.  I can think of no major communication system
that prevents the user from identifying themselves with an ID that's part
of that system.  For example, an email message can have an email sender,
telephone calls can have "caller display" to give a phone number, and the
postal service allows the sender's address to sometimes be recorded or
displayed.

Overloading Email as identity, while undoubtedly useful, potentially causes
a few issues, other than just the recycling problem.  Systems such as
Mozilla Persona allow ONLY email, systems such as WebID generally are
defined to be only HTTP, and systems such as OAuth can have both.  I think
the web would benefit from a more holistic approach to identity.

Just my 2 cents ...


>
> Regards,
>
> John
>
> On Jun 20, 2013, at 5:53 PM, Tim Berners-Lee <timbl@w3.org> wrote:
>
> > As email addresses become increasingly the grounding point for identity
> > on the net, interesting to ask whether we should be expecting some
> > standards of persistence ...  or should we be always quoting them with a
> date?
> >
> > Timbl
> >
> >
> >> """Yahoo tells security critics to chillax regarding its email
> recycling program
> >>
> >> So much for trying to be nice. Yahoo’s latest bid to lift itself from
> the tech also-ran swamp with an email recycling initiative has been
> criticized for potential security threats to dormant users. To try and calm
> down the pitchfork-wielding crowd, the company has released a statement
> describing various security measures that will be taken to insure past
> users’ data and security—but they may not cover all the bases."""
> >>
> >>
> http://www.techhive.com/article/2042508/yahoo-tells-security-critics-to-chillax-regarding-its-email-recycling-program.html
>
>
>
Received on Friday, 28 June 2013 07:00:26 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:20 UTC