Conversation

Notices

1. Embed this notice
   Anil Dash (anildash@me.dm)'s status on Monday, 29-Jan-2024 05:24:39 JST Anil Dash

   in reply to

   • Simon Willison
   • Tim Bray

   @simon @timbray yeah, there have been attacks on known-changed emails. Can’t use the email as key.

   • Embed this notice
     Simon Willison (simon@fedi.simonwillison.net)'s status on Monday, 29-Jan-2024 05:24:43 JST Simon Willison

     in reply to

     • Tim Bray

     @timbray for me that is a pretty convincing argument to stay clear of assuming the email is a stable key

   • Embed this notice
     Tim Bray (timbray@cosocial.ca)'s status on Monday, 29-Jan-2024 05:24:45 JST Tim Bray

     in reply to

     • Simon Willison

     @simon But hmm, the more I think about this, the less comfortable I get. When you do an OpenID Connect “sign in with X”, the ID Token you get has both an "email" and a "sub" field, and the real unique key is the combination of the ID Provider and the "sub" value, which in the case of Google survives an email change. Some details here: https://www.tbray.org/ongoing/When/201x/2013/04/04/ID-Tokens from when I was in the Google ID group.

   • Embed this notice
     Tim Bray (timbray@cosocial.ca)'s status on Monday, 29-Jan-2024 05:24:46 JST Tim Bray

     • Simon Willison

     @simon I think I might have an allow-list of email providers. Hmm, the email for your Google account doesn't have to be a Google-provided email, I wonder if G has such an allow-list.