X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/20d8557c7bff61a7ba58c85a1bfac675c840cbb7..f5a1550441a9d58652d93deacc333f143a7ecfbd:/doc/todo/emailauth.mdwn

diff --git a/doc/todo/emailauth.mdwn b/doc/todo/emailauth.mdwn
index 4cf2e48e5..ec7b4b96d 100644
--- a/doc/todo/emailauth.mdwn
+++ b/doc/todo/emailauth.mdwn
@@ -62,7 +62,7 @@ Implementation notes:
   Otherwise, someone could use passwordauth to register as a username that
   looks like an email address, which would be confusing to possibly a
   security hole. Probably best to keep passwordauth and emailauth accounts
-  entirely distinct.
+  entirely distinct. Update: passwordauth never allowed `@` in usernames.
 * Currently, subscription to comments w/o registering is handled by
   passwordauth, by creating a passwordless account (making up a username,
   not using the email address as the username thankfully). That account can be
@@ -127,8 +127,10 @@ Thoughts anyone? --[[Joey]]
 >>>
 >>> Another way to do it would be to hash the email address,
 >>> so the commit appears to come from
->>> `smcv <smcv@dc84925053b18a910f4b95fb7ce1bf802eb7d80e>` instead of
+>>> `smcv <smcv@02f3eecb59311fc89970578832b63d57a071579e>` instead of
 >>> from `smcv <smcv@debian.org>` - if the hash is of `mailto:whatever`
 >>> (like my example one) then it's compatible with
 >>> [FOAF](http://xmlns.com/foaf/spec/#term_mbox_sha1sum).
->>> --[[smcv]]
+>>> --[[smcv]]a
+
+>>> Email addresses are now cloaked in commits, using foaf:mbox_sha1sum. --[[Joey]]