[foaf-dev] [Fwd: [FriendFeed] Re: FOAF tweaks]
Richard Cyganiak
richard at cyganiak.de
Fri May 9 15:01:25 BST 2008
On 9 May 2008, at 13:39, Julian Bond wrote:
> So basically, I just don't see a significant security issue with
> including mbox_sha1sum. YMMV.
Let's say Bob has an account at site X and another account at site Y.
He wants to keep the identities distinct; one might be about his work
life and the other might be related to his online gaming identity and
he doesn't want smushing between them. If site X and site Y both say:
“We will never, ever publish your email address”, then he might feel
fine about using the same email address in both places.
Now, if sites X and Y publish hashes of users' email addresses, it
becomes possible to smush Bob's two identities, and discover Bob Smith
on site X is TheReaper83 on site Y. This will violate Bob's
expectations, and he might feel betrayed by the sites.
That's the security issue.
mbox_sha1sum is like an “identity fingerprint” that can be tracked
across the Web. Users will be surprised that sites publish such a
fingerprint.
Richard
>
>
> --
> Julian Bond E&MSN: julian_bond at voidstar.com M: +44 (0)77 5907
> 2173
> Webmaster: http://www.ecademy.com/ T: +44 (0)192 0412
> 433
> Personal WebLog: http://www.voidstar.com/ skype:julian.bond?
> chat
> Do Not Expose To Heat
> _______________________________________________
> foaf-dev mailing list
> foaf-dev at lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-dev
More information about the foaf-dev
mailing list