BPuhl’s Blog

A little bit of everything without actually being much of anything

EASI ID (pt 1.5)

Posted by BPuhl on March 26, 2009

Question for you

You’re Jon Smith, and you signed up for the TAA.COM (Totally Awesome App) application when you worked at Contoso, it was free and let you store all of your client data.  You signed up with the user name, JSmith@contoso.com.  Good thing too, because when you quit working at Contoso years ago, you took your clients with you.  Over the years, you either have never updated your login ID, or maybe the application won’t let you.

Now TAA.COM decides to break into the SaaS market by offering their totally awesome app to business customers, and Contoso signs up.  Who gets to have the JSmith@contoso.com user name, you (by virtue of being first), or Jerry Smith, the current JSmith@contoso.com who was hired after you left?

Even though Contoso has federated, single sign-on authentication – does it matter?

I guess another way to put this, is does an individual own the usage rights to their email address forever, or does the company own their namespace and all resources (ie. names) within it?  Worse case, what happens if Jerry signs in and see’s Jon’s information?

Advertisements

4 Responses to “EASI ID (pt 1.5)”

  1. JSmith should belong to Jon Smith in perpetuity. However contoso.com doesn’t. Both in a legal and moral sense.

  2. BPuhl said

    Thanks for commenting (always good validation that someone’s reading :))

    I’m not sure what you mean. There is only a JSmith@contoso.com – In the EASI world, there is no such thing as JSmith, because that’s not an email address formatted username.

  3. Ariel Gordon said

    Contoso owns the domain and any identifier in its realm.
    Email addresses bear a claim of employment. I.e. my @contoso.com address shows (with a certain level of certainty) that I work for Contoso. Using this address after I leave the company is akin to keeping distributing business cards with the address on it.

    Today, 99% websites leverage email providers’ infrastructure for user authentication: you type your email address as a login then create a password that can be reset/resend via email, effectively handing the keys to the account to anyone who controls the mailboxn including the new guy–Jerry Smith in your example.

    Websites who implement authentication delegation (aka federation in the consumer sense of the term), could be informed by the IdP of user account deprovisionning and, as best practice, take action to close the account, prompt the user to create alternate credentials (if they have a fallback email address or phone #), etc.

    Thoughts?
    -Ariel.

  4. […] by BPuhl on August 7, 2009 Back in March, I posted EASI ID (pt 1.5), posting a question about who owns the rights to resources within a namespace, specifically email […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: