This seems like a boon to credential stuffing attacks. Given a list of passwords and email addresses, having a well known, email keyed URL would allow an attacker to quickly find if any of the emails have an account on the service, before going through the better secured and more time consuming login page.
I'm not sure why this would need to be its own well-known url instead of just a WebFinger resource, considering it's nearly identical to WebFinger already. Would just have to always return a link to an image instead the image itself (or a base64 blob of image data in a property, I guess) regardless of image/* being in the Accept header.
My thinking was that it is one less HTTP request. Rather than call the WebFinger, process it, then call the avatar - this is a one-and-done request for the image itself.
That's true. It doesn't really simplify the server implementation, because you still need to basically re-implement WebFinger to handle clients that don't accept image/*, but it makes it possible to implement a really simple client that just makes a simple GET for an image resource and either gets it or doesn't, without needing to implement any client logic for WebFinger.
I don't think there's really any performance benefit to "one less HTTP request" since you still only even get that case if the client accepts a direct image AND the image is served directly in response to the well known query (instead of serving a redirect to a file store or something where the image really lives), but it might be nice if WebFinger had a method of providing "shortcuts" to resources so this was possible without implementing a new WebFinger-like protocol on a new well-known url.
I might just be getting curmudgeonly in middle age, but I don't like this. I want it to be harder for services to share information about me. My address and phone number are also "public" but that doesn't mean I want every site to keep a copy of them.
The nice thing about this is that it is optional. I am not the Internet Police; I can't force you to adopt this.
But, take for example your Keybase URl https://keybase.io/kej - why can't all the services that you've linked to from it pull in your avatar from there as well as your public key?
Google+ was a boon for finding people by their phone number. So is to this day, to some extent, facebook. Add a number to your contacts and the social network will helpfully fill in the blanks.
> When I sign up to a web service, I don't want to faff around uploading an image to use as my avatar. I want that service to look at my email address or social-sign-in and automatically pick up my preferred graphic.
"Faff around" meaning, like, probably four or so clicks?
It's the same argument for social sign in. Most people can't be bothered with the faff of typing in an email address and password, then clicking on their email to verify, then adding their name.
So they click "Sign in with Facebook / Twitter / GitHub".
For anyone who thinks that may be a hand wave, there isn't a standard way to normalize email addresses. If you're building to the spec, then the local part can be processed case-sensitively, so Django lowercases the part after @ only. Others strip out stuff like gmail's +tags and really get into the weeds of how different email providers process emails.
In my mind, the "Right Thing to Do" would be to follow the precident established by OpenPGP's `.well-known` email-hashing in Web Key Directory (not the prefix of course, and barring technical arguments justifying deviation, which may be considered on merit).
> SHA-1 hashed and z-Base-32 encoded [to distinguish it from a fingerprint]
> The local part is always lower-cased before the encoding. [...] A common example for case-insensitivity are visiting cards which capitalize the canonical lowercase mail address for easier reading.
People can put images into their HTTP server directory named as email addresses. This makes it easier to implement for vanity domains. No server-side code necessary. It still allows someone to build a dynamic script that handles the "/.well-known/avatar/" path.
I like this idea, but would want my email provider (Fastmail, in this case) to offer configuring and serving the well known info. If I move providers, this config should be exportable as part of the bundle to migrate.
Gravatar was interesting to proof of concept the idea, but it should not be a centralized service, it should be a protocol or protocol extension. Conversely, I am unsure if a directory service specifically for this is needed (versus leaning on existing open and established systems), but I could be wrong.
gravatar is already quite creepy - it's not uncommon for random websites to show a gravatar icon, in public, for a user, without prompting, thus exposing your real identity without permission purely because you didn't use a throwaway email address.
So, the nice thing is, this is optional. If you want to sign in with Twitter for everything - go ahead! If you want to create a new cloaked email for everything - you still can.
Just like you advertise your website on your GitHub and your HN profile, I want to make it easy to show my photo on sites that I choose to use. What's wrong with that?
this isn't just letting people use their twitter pic everywhere, it's allowing twitter (and whoever else) to query their email server for an image to represent the user.
services shouldn't leak user email addresses or that those users use that service.
users shouldn't have to juggle different email addresses to maintain distinct identities on different services.
with gravitar, the user is opting into losing pseudonymity, seeing as it's pretty trivial to take lists of email addresses you want to hunt down, md5 them, and then check them against places that user gravitar comments to identify comments are made by someone specific )
with this suggestion, every user on every email server that supports it, which would likely include all the common large ones if the author had their way, would fall afoul of constant identity leakage across every service they use.
an adversary need only crawl different services and hash the user avatars, spam email servers with requests for addresses dropped in leaks or otherwise available publicly, and match them up to remove privacy from the internet
I don't understand how this opt-in email tied service which you or your email provider has to implement is in any way preventing you from having disconnected identities online.
If you own a domain and your disconnected identities are all tied to the same domain (or email address) then you have exactly the same issue.
this leaks the identity through the services. you can't normally get an email address or verify who someone on twitter or whatever is unless the user specifically chooses to share it.
you could use this to query the email server, and to crawl various services to match up identities across them.
most users do not own their own domains, and this would have to be implemented on the major free email providers to be useful, offering up every user on them for casual identification via any service that displays their image
But ... the email provider can't force you to give them a picture of you. I mean... unless they force you to give them _a picture_ and then do verification to check that it's you. Which is never going to happen.
Couldn't it be done with WebFinger though?