On Tue, 25 Aug 2015 at 01:42 Bruno Pagani <[email protected]> wrote:
> Le 26/07/2015 22:29, Daniel Micay a écrit : > > On 26/07/15 04:01 PM, Igor Morozov wrote: > >> That's right, I messed up. Instead of typing fastmail.com, I typed > >> fastmai.com. And now there is no way I can access my account. The only > >> option is to send an email to this mailing list describing my problem > >> and hope that somebody will help me out. Basically, that's what I'm > >> doing right now. > > Okay, so it can ask the user to provide the same email in two fields. > > > > It could treat an unconfirmed account as a temporary placeholder and > > replace it if registration is done again for the same username. > > > > It shouldn't be possible to log in without confirming the email unless > > all of the actions (voting, submitting packages, commenting, etc.) > > beyond editing account information are gated on whether the account is > > registered. > > > >> People tend to make mistakes. I'm not the only one who messed up during > >> registration. And there is no easy way to get our account back. Mailing > >> list is not the best option for account recovery. What if the misspelled > >> email exists and the owner decides to proceed and register? What if the > >> owner decides to do nasty things using my username, full name and email > >> that looks alike? That would affect my reputation in the community since > >> it's difficult to prove that I was not the bad guy. > >> The usual "account activation" prevents this stuff. A lot of web sites > >> do not automatically log user in after account confirmation, so it kind > >> of prevents malicious activity (the bad guy doesn't know the password, > >> you see). > > Someone could have just created a fake account before you did, so it's > > really not an issue related to the confirmation design. > > > >> And by the way, the fact that you can use an unused (not registered) > >> email in account recovery and not get any errors is frustrating. Took me > >> 8 hours to realize that it says "okay", even though the email is not in > >> use. Please, do something about it! > > Emails aren't received instantly, so there's no error to report during > > registration. > > > > Sorry to respond so late, but I had a little idea (but maybe it’s not a > good one) to enhance things here. > > OP was concerned about the owner of the false adress being capable to do > nasty things. Since it seems we ask for PGP key, would it be possible > for the server to encrypt the account confirmation mail ? And check that > (one of) the email(s) on the key correspond to the one provided during > registration (to help once again avoiding typos, but see also below)? > > Thus, even if the malicious bad guy registers a false account using your > nickname and your full name, they are two possibilities: > > – he registers with an email he owns, using a false GPG key. You may > then prove this and show it wasn’t you (which was the concern). > – he registers with your key, but then the email verification step > blocks him. > > Any thoughts? > > Why don't we do what every other site does and have a confirm email field? Or a way to change passwords over ssh, since putting in a public key is a field on registration as well? - Justin
