← Back to team overview

libravatar-fans team mailing list archive

Re: Discussion: API keys - follow up from IRC

 

Hey.

Thanks Tristan for bringing it to the point. :-)
Yes, federation wouldn't work - only if we do not encrypt the hash, but
instead the mail-address (makes sense, since it's anyway encrypted) and
Libravatar proxies the requests to the federated site. Which means, that
these sites would only need to trust Libravatar.
BTW. That raises the question in my mind do we know how many sites actually
run their own Libravatar (compatible) service? I guess no!? @Francois Marier
<francois@xxxxxxxxxxx> do you know anything?

So in the end it boils down to the question if we want to build and offer
such a feature and if, we need to think about the implementation details -
what I built for the moment is only a raw PoC/idea.

Oliver


On Tue, Mar 12, 2019 at 3:03 PM Tristan Le Guern <tleguern@xxxxxxxxxxx>
wrote:

> On 3/12/19 12:59 PM, clime wrote:
> > I am missing the point encrypting the hash. I could understand it for
> > md5, which is crackable nowdays but not quite for sha256. That hash
> > should be non-reversible in practical terms and then we can always just
> > jump to sha512 in a few years when hardware is stronger
>
> SHA256 is still susceptible to rainbow tables attack so in theory a
> dedicated spammer could still harvest libravatar users' hashes for his
> nefarious purpose and use them to validate email addresses. This issue
> has been raised since Gravatar's birth.
>
> Oliver proposes a mechanism to solve this issue but with a clear
> drawback: in it's current form it breaks federation.
>
> _______________________________________________
> Mailing list: https://launchpad.net/~libravatar-fans
> Post to     : libravatar-fans@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~libravatar-fans
> More help   : https://help.launchpad.net/ListHelp
>

Follow ups

References