[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: user ID: email vs OpenID vs public/private keys
From: |
Davi Leal |
Subject: |
Re: user ID: email vs OpenID vs public/private keys |
Date: |
Wed, 18 Apr 2007 20:20:34 +0200 |
User-agent: |
KMail/1.9.5 |
Victor Engmark wrote:
> Antenore Gatta wrote:
> > The drawback is that we need also a user ID reminder.... But it's quite
> > secure.
>
> I think the last remark is the problem. We should ask for only one thing, a
> user name or an email address. I believe the email address is the easiest
> to use, and it seems that most new services on the web agree.
I agree about follow using only one ID, and that being the an email address.
> By the way, we should implement some way to change the email address. For
> that reason, it should not be (part of) the primary key in any of our
> tables (I'm too lazy to check this now).
You can see as the entity identified is E1_Id. So, the entity (person, company
or non-profit) can change its email just modifying it and saving. The webapp
check too that when you change your email you are not using one owned by
other entity. Anyway it would fails at the data base layer due to the UNIQUE
flag:
E1_Id SERIAL PRIMARY KEY,
E1_Email varchar(60) UNIQUE CHECK (E1_Email <> ''),
Ref.: Layer-0__Site_entry_point/doc/GNUHerds__SQL_Implementation.sql
It is not clear that users can change its email?. You just modify and save, as
in others job sites I use.
> Actually, we could consider OpenID <http://openid.net/> or public / private
> keys. The latter, however, would probably be technically difficult to make
> properly secure, very few end users know how to use them, and it should
> provide some additional value to just password retrieval to make sure
> people register their public keys.
I have added a postponed task to take note of this. Anyway, I think now the
email is the standard user ID.
Task: https://savannah.nongnu.org/task/index.php?6782
Davi
Re: Hide email validation in "Lost password" page? -- Security bug, Victor Engmark, 2007/04/18
- Re: Hide email validation in "Lost password" page? -- Security bug, Davi Leal, 2007/04/18
- Re: Hide email validation in "Lost password" page? -- Security bug, Victor Engmark, 2007/04/19
- Re: Hide email validation in "Lost password" page? -- Security bug, Davi Leal, 2007/04/19
- Re: Hide email validation in "Lost password" page? -- Security bug, Victor Engmark, 2007/04/19
- Re: Hide email validation in "Lost password" page? -- Security bug, Davi Leal, 2007/04/19
- Re: Hide email validation in "Lost password" page? -- Security bug, Victor Engmark, 2007/04/19
- Re: new timestamp data base field for: Lost_Password.php, Person.php, Company.php & non-profit_Organization.php, Davi Leal, 2007/04/19