[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-hackers] Re: How To verify identity before changing email addr
From: |
Bradley M. Kuhn |
Subject: |
[Savannah-hackers] Re: How To verify identity before changing email address? |
Date: |
Fri, 26 Dec 2003 14:18:27 -0500 |
User-agent: |
Mutt/1.5.4i |
Hugo Gayosso wrote:
> How should we verify user's identity so we can comply with their
> request for changing their registered email address?
I suggest that we follow this procedure:
* Send a message to the address on file, and see if it bounces. If it
doesn't bounce, then we must ask the original user why, and decide
what to do on a case by case basis. We should be EXTREMELY reluctant
-- if not outright REFUSE -- to change an email address if the one on
file does not bounce.
* If the mail does bounce, we should ask the user if they can produce
any evidence that they once had that email address. The best
evidence would be a GPG-signed message that is signed with a key that
has both their old and new email address on it, and that the GPG key
be available from a well-known public keyserver. While this could be
forged, it would be substantial work to do so and could easily get
discovered.
(Note, this is why I say the key much be on a public keyserver. Even
if they forge the key to refer to email addresses they don't control
(i.e., generate a key that includes bogus info), putting on a public
key server could likely flag the real owner of the email address.)
* If they cannot use the GPG solution, I suppose we should accept any
plausible explanation for why their old email address is bouncing
(e.g., changed ISP). If someone truly wants to social engineer their
way into commit access on a project, they can likely do it. We
can't beat it; we can just make it some effort to succeed in such
social engineering.
Do any savannah-hackers object to this procedure? If not, then please go
ahead with it.
-- bkuhn
--
Learn more about my work for FSF and how you can help:
http://svcs.affero.net/rm.php?r=bkuhn&p=FSF
pgp49KDW_NpeN.pgp
Description: PGP signature