[Mailman-Developers] Architecture for extra profile info
Richard Wackerbarth
rkw at dataplex.net
Sun Apr 28 15:03:35 CEST 2013
On Apr 28, 2013, at 2:15 AM, Stephen J. Turnbull <stephen at xemacs.org> wrote:
> Xu Wang writes:
>> The problem is how do you "confirm ownership of the subscribed address"
>> when a request coming with an access token.
>
> You don't. That was done when the OAuth ID was linked to the address,
> using the usual 3-step handshake (submit the association, receive an
> email containing a secret, confirm ownership by replying with the secret).
In many installations, the linking may not require the email handshake.
An installation may choose to "trust" that the third party issuing the access credential has already performed sufficient vetting of the association.
I'm thinking of things like BrowserID credentials or Google/Twitter/Facebook issued credentials.
However, that is a local "policy" whose decision involves a tradeoff between the level of assurance and the ease in establishing the association.
More information about the Mailman-Developers
mailing list