On 6/23/10, [email protected] <[email protected]> wrote: > The problem is that some projects have completed and shut down. The public > CPID for those projects will now never change. > > If I figure out how to have my account have your CPID, all I am doing is > giving you my credits. There is no means of pretending to be someone else > this way like there is with the authenticator. Would there really be a > problem if the CPIDs were not hashed with the email address?
Suppose I create an account on a project where you *don't* participate, under my name, and my email address. Then make my BOINC client send *your* CPID. Stats sites would link my account on that project with your accounts on the other projects, so it'd appear like my total credit includes all the credits you have. If it's hashed, I would need to use your email address, and your private CPID (which I have no way to know). Also, even if there was no problem with not hashing with email address, I doubt we can change that now without breaking compatibility. It may change the CPID of every user in every project that upgrades the server... -- Nicolas _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
