Otherwise, someone could use passwordauth to register as a username that
looks like an email address, which would be confusing to possibly a
security hole. Probably best to keep passwordauth and emailauth accounts
- entirely distinct.
+ entirely distinct. Update: passwordauth never allowed `@` in usernames.
* Currently, subscription to comments w/o registering is handled by
passwordauth, by creating a passwordless account (making up a username,
not using the email address as the username thankfully). That account can be
>>>
>>> Another way to do it would be to hash the email address,
>>> so the commit appears to come from
->>> `smcv <smcv@dc84925053b18a910f4b95fb7ce1bf802eb7d80e>` instead of
+>>> `smcv <smcv@02f3eecb59311fc89970578832b63d57a071579e>` instead of
>>> from `smcv <smcv@debian.org>` - if the hash is of `mailto:whatever`
>>> (like my example one) then it's compatible with
>>> [FOAF](http://xmlns.com/foaf/spec/#term_mbox_sha1sum).
->>> --[[smcv]]
+>>> --[[smcv]]a
+
+>>> Email addresses are now cloaked in commits, using foaf:mbox_sha1sum. --[[Joey]]
+
+Note that the implementation of this lives in [[plugins/emailauth]].
+
+Also, I have found a similar system called [Portier](https://portier.github.io) that enables email-based auth but enhances it with [[plugins/openid]] connect... Maybe ikiwiki's authentication system could follow the standards set by Portier? OpenID connect discovery is particularly interesting, as it could mean that using your GMail address to login to ikiwiki would mean that you go straight to the more secure OpenID / Oauth authentication instead of relying on the slow "send email and click link" system... --[[anarcat]]