libravatar-fans team mailing list archive

Thread
Date

Re: Discussion: API keys - follow up from IRC

To: Oliver Falk <oliver@xxxxxxxxxxxxxxx>
From: clime <clime7@xxxxxxxxx>
Date: Tue, 12 Mar 2019 16:20:26 +0100
Cc: "libravatar-fans@xxxxxxxxxxxxxxxxxxx" <libravatar-fans@xxxxxxxxxxxxxxxxxxx>, Francois Marier <francois@xxxxxxxxxxx>
In-reply-to: <CAGqZTUu-PQnn_BpufXw=iftsuYwaXxQaKntGwcT+BQffzuEzCg@mail.gmail.com>

On Tuesday, 12 March 2019, clime <clime7@xxxxxxxxx> wrote:

>
>
> On Tuesday, 12 March 2019, Oliver Falk <oliver@xxxxxxxxxxxxxxx> wrote:
>
>> Hey.
>>
>> Thanks Tristan for bringing it to the point. :-)
>> Yes, federation wouldn't work - only if we do not encrypt the hash, but
>> instead the mail-address (makes sense, since it's anyway encrypted) and
>> Libravatar proxies the requests to the federated site. Which means, that
>> these sites would only need to trust Libravatar.
>> BTW. That raises the question in my mind do we know how many sites
>> actually run their own Libravatar (compatible) service? I guess no!? @Francois
>> Marier <francois@xxxxxxxxxxx> do you know anything?
>>
>> So in the end it boils down to the question if we want to build and offer
>> such a feature and if, we need to think about the implementation details -
>> what I built for the moment is only a raw PoC/idea.
>>
>
> Good luck.
>

Let me know if you need anything server-side!


>
>>
>> Oliver
>>
>>
>> On Tue, Mar 12, 2019 at 3:03 PM Tristan Le Guern <tleguern@xxxxxxxxxxx>
>> wrote:
>>
>>> On 3/12/19 12:59 PM, clime wrote:
>>> > I am missing the point encrypting the hash. I could understand it for
>>> > md5, which is crackable nowdays but not quite for sha256. That hash
>>> > should be non-reversible in practical terms and then we can always just
>>> > jump to sha512 in a few years when hardware is stronger
>>>
>>> SHA256 is still susceptible to rainbow tables attack so in theory a
>>> dedicated spammer could still harvest libravatar users' hashes for his
>>> nefarious purpose and use them to validate email addresses. This issue
>>> has been raised since Gravatar's birth.
>>>
>>> Oliver proposes a mechanism to solve this issue but with a clear
>>> drawback: in it's current form it breaks federation.
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~libravatar-fans
>>> Post to     : libravatar-fans@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~libravatar-fans
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>

References

Discussion: API keys - follow up from IRC
From: Oliver Falk, 2019-03-11
Re: Discussion: API keys - follow up from IRC
From: clime, 2019-03-12
Re: Discussion: API keys - follow up from IRC
From: Oliver Falk, 2019-03-12
Re: Discussion: API keys - follow up from IRC
From: clime, 2019-03-12
Re: Discussion: API keys - follow up from IRC
From: Tristan Le Guern, 2019-03-12
Re: Discussion: API keys - follow up from IRC
From: Oliver Falk, 2019-03-12
Re: Discussion: API keys - follow up from IRC
From: clime, 2019-03-12