Re: user ID: email vs OpenID vs public/private keys

[Davi Leal]

Victor Engmark wrote:
> Antenore Gatta wrote:
> > The drawback is that we need also a user ID reminder.... But it's quite
> > secure.
>
> I think the last remark is the problem. We should ask for only one thing, a
> user name or an email address. I believe the email address is the easiest
> to use, and it seems that most new services on the web agree.

I agree about follow using only one ID, and that being the an email address.

> By the way, we should implement some way to change the email address. For
> that reason, it should not be (part of) the primary key in any of our
> tables (I'm too lazy to check this now).

You can see as the entity identified is E1_Id. So, the entity (person, company 
or non-profit) can change its email just modifying it and saving. The webapp 
check too that when you change your email you are not using one owned by 
other entity. Anyway it would fails at the data base layer due to the UNIQUE 
flag:

        E1_Id              SERIAL PRIMARY KEY,
        E1_Email           varchar(60) UNIQUE CHECK (E1_Email <> ''),

  Ref.: Layer-0__Site_entry_point/doc/GNUHerds__SQL_Implementation.sql


It is not clear that users can change its email?. You just modify and save, as 
in others job sites I use.

> Actually, we could consider OpenID <http://openid.net/> or public / private
> keys. The latter, however, would probably be technically difficult to make
> properly secure, very few end users know how to use them, and it should
> provide some additional value to just password retrieval to make sure
> people register their public keys.

I have added a postponed task to take note of this. Anyway, I think now the 
email is the standard user ID.

   Task: https://savannah.nongnu.org/task/index.php?6782

Davi