[aur-general] Registering, misspelling email, losing account

Mon Aug 24 15:42:23 UTC 2015

Le 26/07/2015 22:29, Daniel Micay a écrit :
> On 26/07/15 04:01 PM, Igor Morozov wrote:
>> That's right, I messed up. Instead of typing fastmail.com, I typed
>> fastmai.com. And now there is no way I can access my account. The only
>> option is to send an email to this mailing list describing my problem
>> and hope that somebody will help me out. Basically, that's what I'm
>> doing right now.
> Okay, so it can ask the user to provide the same email in two fields.
>
> It could treat an unconfirmed account as a temporary placeholder and
> replace it if registration is done again for the same username.
>
> It shouldn't be possible to log in without confirming the email unless
> all of the actions (voting, submitting packages, commenting, etc.)
> beyond editing account information are gated on whether the account is
> registered.
>
>> People tend to make mistakes. I'm not the only one who messed up during
>> registration. And there is no easy way to get our account back. Mailing
>> list is not the best option for account recovery. What if the misspelled
>> email exists and the owner decides to proceed and register? What if the
>> owner decides to do nasty things using my username, full name and email
>> that looks alike? That would affect my reputation in the community since
>> it's difficult to prove that I was not the bad guy. 
>> The usual "account activation" prevents this stuff. A lot of web sites
>> do not automatically log user in after account confirmation, so it kind
>> of prevents malicious activity (the bad guy doesn't know the password,
>> you see).
> Someone could have just created a fake account before you did, so it's
> really not an issue related to the confirmation design.
>
>> And by the way, the fact that you can use an unused (not registered)
>> email in account recovery and not get any errors is frustrating. Took me
>> 8 hours to realize that it says "okay", even though the email is not in
>> use. Please, do something about it!
> Emails aren't received instantly, so there's no error to report during
> registration.
>

Sorry to respond so late, but I had a little idea (but maybe it’s not a
good one) to enhance things here.

OP was concerned about the owner of the false adress being capable to do
nasty things. Since it seems we ask for PGP key, would it be possible
for the server to encrypt the account confirmation mail ? And check that
(one of) the email(s) on the key correspond to the one provided during
registration (to help once again avoiding typos, but see also below)?

Thus, even if the malicious bad guy registers a false account using your
nickname and your full name, they are two possibilities:

– he registers with an email he owns, using a false GPG key. You may
then prove this and show it wasn’t you (which was the concern).
– he registers with your key, but then the email verification step
blocks him.

Any thoughts?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20150824/79153fd5/attachment.asc>