- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Fri, 28 Jun 2013 08:59:58 +0200
- To: John Kemp <john@jkemp.net>
- Cc: Tim Berners-Lee <timbl@w3.org>, TAG List <www-tag@w3.org>
- Message-ID: <CAKaEYhKen=yGLTTCv96J14qtRZri0F=rk4y4axuX8qc5BEmSrg@mail.gmail.com>
On 21 June 2013 01:56, John Kemp <john@jkemp.net> wrote: > Email addresses in such a scenario have two quite-different uses: > > i) As an identifier disambiguating one user from any other within the > email (ie. security) domain > ii) As an address for mail delivery > > Since Yahoo can physically reassign an address to a different mailbox > within their domain, there's not really any problem for Yahoo. Dormant > users have indicated that they have "moved out" of their mailbox, by their > inactivity. Yahoo can ensure both that the old mailbox is inaccessible, and > they can ensure the old account password is changed, protecting data > associated with the dormant user at Yahoo. > > However, when that email address is used as an identifier for an > individual outside the Yahoo systems (say joe@yahoo.com uses that email > address to get a Facebook account), there is a potential problem for those > companies who have accepted a Yahoo email address as an identifier for a > particular user, and have originally authenticated that user by sending > email to an address associated with one particular Yahoo mailbox. If the > mailbox is reassigned, they are now sending emails to a different person, > or have authenticated someone different than the person trying to now login > with that address as their identifier. > > That seems like a problem for those companies accepting email addresses as > identifiers, and who are authenticating the initial interaction by sending > email to a given mailbox. It also seems like a potential problem for the > dormant Yahoo user, if someone can guess their (for example) Facebook > password associated with the old Yahoo email address identifier. > This is a great point. Without wishing to go off at too much of a tangent, I think email style identifiers tend to be overloaded in THREE ways: i) as the primary key to an identity system ii) as an address for mail delivery iii) a memorable identifier This overloading has some possible consequences. Firstly, anyone wishing to partake in such an identity system, needs to be able to run an email system, or delegate that out to a third party. This is a relatively high overhead, meaning that large email providers are positive differentiated at the expense of the long tail. Architecturally, this exacerbates centralization of the web, which can lead to single points of failure, or perhaps in some cases a loss of privacy. Additionally, systems tend to be architected in such as way as there is a one-to-one correspondence between your email address and your identity. This means that it's problematic to change your email address, say, if you get married. You have to start your identity all over again. One exception to this rule is facebook, which uses graph.facebook.com ie a HTTP URI as its primary key, and, email as your foreign key. This means you can change your email, name, or other data, while leaving your main profile record intact. Indeed, you could add more than one email, in theory. >From an architecture point of view, I find the growth of email as an identity system on the web, slightly troubling. Consider HTTP (bis), the "From" field allows an email address, and NOT, an HTTP identifier. HTTP identifiers (e.g. for robots) are often stuffed into the User-Agent field delimited by a semi colon. I can think of no major communication system that prevents the user from identifying themselves with an ID that's part of that system. For example, an email message can have an email sender, telephone calls can have "caller display" to give a phone number, and the postal service allows the sender's address to sometimes be recorded or displayed. Overloading Email as identity, while undoubtedly useful, potentially causes a few issues, other than just the recycling problem. Systems such as Mozilla Persona allow ONLY email, systems such as WebID generally are defined to be only HTTP, and systems such as OAuth can have both. I think the web would benefit from a more holistic approach to identity. Just my 2 cents ... > > Regards, > > John > > On Jun 20, 2013, at 5:53 PM, Tim Berners-Lee <timbl@w3.org> wrote: > > > As email addresses become increasingly the grounding point for identity > > on the net, interesting to ask whether we should be expecting some > > standards of persistence ... or should we be always quoting them with a > date? > > > > Timbl > > > > > >> """Yahoo tells security critics to chillax regarding its email > recycling program > >> > >> So much for trying to be nice. Yahoo’s latest bid to lift itself from > the tech also-ran swamp with an email recycling initiative has been > criticized for potential security threats to dormant users. To try and calm > down the pitchfork-wielding crowd, the company has released a statement > describing various security measures that will be taken to insure past > users’ data and security—but they may not cover all the bases.""" > >> > >> > http://www.techhive.com/article/2042508/yahoo-tells-security-critics-to-chillax-regarding-its-email-recycling-program.html > > >
Received on Friday, 28 June 2013 07:00:26 UTC