S3741 41.76.208.0/21
X-Spam-Status: No, score=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED
shortcircuit=no autolearn=disabled version=3.3.1
X-Spam-Report: * -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at
http://www.dnswl.org/, * medium trust
* [41.76.209.65 listed in list.dnswl.org]
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:51:10 +0000)
X-SA-Exim-Scanned: Yes (on mail.bitfolk.com)
Subject: Re: [bitfolk] Proving that you are you
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
<mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
<mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2012 19:35:08 -0000
On 2012-07-07 7:07 PM, Andy Smith wrote:
> Hi Aaron,
>
> On Sat, Jul 07, 2012 at 05:38:13PM +0100, Aaron B. Russell wrote:
>> Rationale: you'd have a copy of that image file once I'd sent it to you, and chances are a few other people may have access to that image file, so verifying I actually had the real document would be somewhat important (though of course depending on the video quality this may not be a great solution as you might not be able to verify the document is the same one as in the image
)
>
> So are you saying that if
>
> - YOU had disabled the password reset, and
> - YOUR service were down, and
> - you were communicating with me via email (possibly from a
> different email address to the one in our database)
>
> YOU would not want me to reset your account password based on an
> image of a utility bill, but would insist upon a government ID that
> I recognise?
That makes sense, yes, however:
> Also what would be your suggestion regarding government IDs that I
> don't recognise (not all customers are from the UK)?
I don't think you'd know a real South African ID document or drivers
license from a fake one. How many other customers from how many other
countries do you have?
From peet@??? Thu Jul 12 19:39:02 2012
Received: from mead.hivemind.net ([41.76.209.65])
by mail.bitfolk.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
(Exim 4.72) (envelope-from <peet@???>) id 1SpPE5-0003kq-Fr
for users@???; Thu, 12 Jul 2012 19:39:02 +0000
Received: from 196-210-139-48.dynamic.isadsl.co.za ([196.210.139.48]:65428
helo=mac-wifi.peet.za.net)
by mead.hivemind.net with esmtpa (Exim 4.72 #1)
id 1SpPRX-0007iH-Ts by authid <peet> with plain_courier_authdaemon
for <users@???>; Thu, 12 Jul 2012 21:52:56 +0200
Message-ID: <4FFF27F9.4050909@???>
Date: Thu, 12 Jul 2012 21:39:37 +0200
From: Peet Grobler <peet@???>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7;
rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: users@???
References: <20120707130537.GA11695@???>
<ECAE67DBAB7C44C2BA99DA232CC6E395@???>
<E8D012CEB3584285925AD3F1476D118B@???>
<20120707170729.GU3867@???>
<3B35605E52F04AE2817487EE7C3EE903@???>
<20120707173037.GX3867@???>
In-Reply-To: <20120707173037.GX3867@???>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Whitelisted: Authenticated sender, whitelisted
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Thu,
12 Jul 2012 19:39:01 +0000
X-SA-Exim-Connect-IP: 41.76.209.65
X-SA-Exim-Mail-From: peet@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spamd0.lon.bitfolk.com
X-Spam-Level:
X-Spam-ASN: AS3741 41.76.208.0/21
X-Spam-Status: No, score=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED
shortcircuit=no autolearn=disabled version=3.3.1
X-Spam-Report: * -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at
http://www.dnswl.org/, * medium trust
* [41.76.209.65 listed in list.dnswl.org]
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:51:10 +0000)
X-SA-Exim-Scanned: Yes (on mail.bitfolk.com)
Subject: Re: [bitfolk] Proving that you are you
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
<mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
<mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2012 19:39:02 -0000
On 2012-07-07 7:30 PM, Andy Smith wrote:
> Hi Aaron,
>
> On Sat, Jul 07, 2012 at 06:13:53PM +0100, Aaron B. Russell wrote:
>> Perhaps if, at the time of disabling password resets, a customer was required to send in an image of a government ID that you could keep on file and validate against, in case they ever did lock themselves out? I'm not sure how happy people would be to do that, though.
>
> I like this option far less than my suggestion that anyone who
> wanted to disable password resets would have to upload a PGP or SSH
> key first.
I would be happy to upload an ssh key and pgp key in this situation. I
will not be happy to provide a copy of my ID or drivers license, which
can be stolen and used for other purposes, to _any_ company.
> Most people can't be bothered with public key crypto, but if someone
> is going to disable the one way they have to getting access when locked
> out then perhaps they could be forced to bother.
Make that an option. You must have one of:
- password reset
- ssh key
- pgp key
- some Pre-Shared-Key (?)
- some Pre-Shared Token (i.e password)
You can't select 'none'. You need one of them. I'd be cautious to use
ssh keys, I have lost some private keys in various situations.
>
> Maybe I should just ask this question (off-list) of the few
> customers who have disabled password reset and see what they
> consider an appropriate level of security should the worst happen.
> It doesn't affect the majority of you and I think people have
> difficulty putting themselves into such a hypothetical situation.
I'll think about it while I can't sleep tonight. Might come up with
something.
From
