Sheila Mooney wrote: > On Jul 11, 2006, at 1:30 PM, Jeremy Epstein wrote: >> (1) it looks to match users to emails in the cosmo DB, >> (2) if matched "do the right thing" if not, create a new account. >> username == email >> (3) send email to all these new users >> (4) when the new user gets to scooby and attempts a non-read action, >> we prompt for them to enter their email and password.-- we offer an >> affordance for new users to choose a password. >> All of this implies that chandler and scooby can do what every other >> app on the web does-- send automated emails.
Doing it like this is not good for the reasons Sheila listed. But this could be improved a little bit, although it still would not solve all issues. (2/4) if not matched, create a "temporary account". When the recipient clicks the invitation link they are informed that this is not a valid account but ask them to either login with their existing account or create new account. In some cases logging in might work automatically (old cookies or something). The bad part even with this is that security/privacy conscious people are wary of giving services too much information about themselves or their friends, like alternative email addresses. > Seems to me like we talked about this when I first started at OSAF and > decided this wouldn't work well. I can't remember all the issue but I > would like to get Lisa to chime in since most of these discussions were > with her. We used to have a sharing invitation detail view where people > entered email addresses and we ended up getting rid of that to do > something really simple - 2 tickets. Email address as account name has generic problems in addition to the ones Sheila listed. For example: - using email as account name will confuse less technically savvy people (for example, if they have different passwords for their email service and cosmo, they are quite likely going to enter the wrong password every now and then; but more likely than that they will use the same password on both their email and cosmo, which is bad security practice; in any case, once they have to change password on one service they may quite naturally assume it was automatically changed for the other service since they can't really tell the difference) - does the email account name need to be a real, valid email account, or can you use an invented one that just looks like an email? if it is not valid, then you will almost certainly face a situation where somebody will try to email that address to encounter a weird error - there is actually some value to some people to not disclose their email, but they would be ok to disclose their account name -- Heikki Toivonen
signature.asc
Description: OpenPGP digital signature
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Open Source Applications Foundation "Design" mailing list http://lists.osafoundation.org/mailman/listinfo/design
