[foaf-dev] [Fwd: [FriendFeed] Re: FOAF tweaks]

Richard Cyganiak richard at cyganiak.de
Fri May 9 15:01:25 BST 2008


On 9 May 2008, at 13:39, Julian Bond wrote:
> So basically, I just don't see a significant security issue with  
> including mbox_sha1sum. YMMV.

Let's say Bob has an account at site X and another account at site Y.  
He wants to keep the identities distinct; one might be about his work  
life and the other might be related to his online gaming identity and  
he doesn't want smushing between them. If site X and site Y both say:  
“We will never, ever publish your email address”, then he might feel  
fine about using the same email address in both places.

Now, if sites X and Y publish hashes of users' email addresses, it  
becomes possible to smush Bob's two identities, and discover Bob Smith  
on site X is TheReaper83 on site Y. This will violate Bob's  
expectations, and he might feel betrayed by the sites.

That's the security issue.

mbox_sha1sum is like an “identity fingerprint” that can be tracked  
across the Web. Users will be surprised that sites publish such a  
fingerprint.

Richard


>
>
> -- 
> Julian Bond  E&MSN: julian_bond at voidstar.com  M: +44 (0)77 5907  
> 2173
> Webmaster:          http://www.ecademy.com/      T: +44 (0)192 0412  
> 433
> Personal WebLog:    http://www.voidstar.com/     skype:julian.bond? 
> chat
>                        Do Not Expose To Heat
> _______________________________________________
> foaf-dev mailing list
> foaf-dev at lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-dev


More information about the foaf-dev mailing list