- From: <noah_mendelsohn@us.ibm.com>
- Date: Thu, 18 Feb 2010 16:44:40 -0500
- To: Jacek Kopecky <jacek@jacek.cz>
- Cc: Larry Masinter <masinter@adobe.com>, "www-tag@w3.org" <www-tag@w3.org>
Jacek Kopecky writes: > In other words, the email address is valid enough. How can we say that without some definition of what the security goals are, and what the threats are to be defended against? I can see lots of cases in which it would indeed be "valid enough". I can also imagine examples, perhaps involving DNS hijacking, in which the confirmation would be made by the same black hat that maliciously opened the email account in your name. Noah -------------------------------------- Noah Mendelsohn IBM Corporation One Rogers Street Cambridge, MA 02142 1-617-693-4036 -------------------------------------- Jacek Kopecky <jacek@jacek.cz> Sent by: www-tag-request@w3.org 02/13/2010 07:11 AM To: Larry Masinter <masinter@adobe.com> cc: "www-tag@w3.org" <www-tag@w3.org>, (bcc: Noah Mendelsohn/Cambridge/IBM) Subject: Re: "confirm subscribe" use case for "secret URI" Larry, this also brings up a simpler case: confirmation of valid email address. If the URI is ever resolved, it means the email address where the URI was sent is read by someone or something. In other words, the email address is valid enough. On the other hand, are the URIs in these cases really secret? It feels like your point (b) goes against a requirement for secrecy. Best regards, Jacek Kopecky On Thu, 2010-02-11 at 14:07 -0800, Larry Masinter wrote: > the link to confirm subscription is: > > (a) one-time > (b) accidental disclosure does not have a serious impact > and recoverable (can unsubscribe) > (c) misuse can be audited (web site, presumably, maintains > log of IP address of requester) > > > So this is a positive use case for a "secret URI". > > Larry > -- > http://larry.masinter.net > > > -----Original Message----- > From: forum@unicode.org [mailto:forum@unicode.org] > Sent: Thursday, February 11, 2010 2:03 PM > To: Larry Masinter > Subject: Welcome to "The Unicode Consortium Discussion Forum" > > Welcome to The Unicode Consortium Discussion Forum forums > > Please keep this e-mail for your records. Your account information is as > follows: > > ---------------------------- > Username: masinter > > Board URL: http://www.unicode.org/forum > ---------------------------- > > Please visit the following link in order to activate your account: > > http://www.unicode.org/forum/ucp.php?mode=activate&u=84&k=421T7N4NND > > Your password has been securely stored in our database and cannot be > retrieved. In the event that it is forgotten, you will be able to reset it > using the email address associated with your account. > > Thank you for registering. > > -- >
Received on Thursday, 18 February 2010 21:42:24 UTC