W3C home > Mailing lists > Public > www-tag@w3.org > June 2013

Re: Yahoo to reuse email addresses - re: Identifier persistence

From: John Kemp <john@jkemp.net>
Date: Thu, 20 Jun 2013 19:56:16 -0400
Cc: TAG List <www-tag@w3.org>
Message-Id: <AFEED991-CDC8-4903-A7FB-13F9F45BD8CB@jkemp.net>
To: Tim Berners-Lee <timbl@w3.org>
Email addresses in such a scenario have two quite-different uses:

i) As an identifier disambiguating one user from any other within the email (ie. security) domain
ii) As an address for mail delivery

Since Yahoo can physically reassign an address to a different mailbox within their domain, there's not really any problem for Yahoo. Dormant users have indicated that they have "moved out" of their mailbox, by their inactivity. Yahoo can ensure both that the old mailbox is inaccessible, and they can ensure the old account password is changed, protecting data associated with the dormant user at Yahoo. 

However, when that email address is used as an identifier for an individual outside the Yahoo systems (say joe@yahoo.com uses that email address to get a Facebook account), there is a potential problem for those companies who have accepted a Yahoo email address as an identifier for a particular user, and have originally authenticated that user by sending email to an address associated with one particular Yahoo mailbox. If the mailbox is reassigned, they are now sending emails to a different person, or have authenticated someone different than the person trying to now login with that address as their identifier. 

That seems like a problem for those companies accepting email addresses as identifiers, and who are authenticating the initial interaction by sending email to a given mailbox. It also seems like a potential problem for the dormant Yahoo user, if someone can guess their (for example) Facebook password associated with the old Yahoo email address identifier. 



On Jun 20, 2013, at 5:53 PM, Tim Berners-Lee <timbl@w3.org> wrote:

> As email addresses become increasingly the grounding point for identity
> on the net, interesting to ask whether we should be expecting some
> standards of persistence ...  or should we be always quoting them with a date?
> Timbl
>> """Yahoo tells security critics to chillax regarding its email recycling program
>> So much for trying to be nice. Yahoo’s latest bid to lift itself from the tech also-ran swamp with an email recycling initiative has been criticized for potential security threats to dormant users. To try and calm down the pitchfork-wielding crowd, the company has released a statement describing various security measures that will be taken to insure past users’ data and security—but they may not cover all the bases."""
>> http://www.techhive.com/article/2042508/yahoo-tells-security-critics-to-chillax-regarding-its-email-recycling-program.html
Received on Thursday, 20 June 2013 23:56:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:56:56 UTC