Il 19/02/22 19:38, Björn Persson ha scritto: > Zbigniew Jędrzejewski-Szmek wrote: >> I think it'd be better to check the status weekly and only require >> account reconfirmation if the quarantine status is detected ⌊N / 7 - 1⌋ >> times in a row (where N=quarantine length in days). > It will be fine as long as it's done before the domain is released for > registration. Let's just not make it so tight that a little unscheduled > downtime can open an attack window. > But this covers just the case where a domain is expired and free to take. I agree this would be the easiest attack vector, but what about if it's the user email only to expire and free to take? There are (at least, I'm sure there were) some free email services that expire email addresses not used for a year or so. Also, in a previous comment in this thread, someone pointed out that also email addresses from universities or other institutions can be "recycled". These are harder attack cases, but they're possible. That's why I proposed a check against user activity rather than a check against domain or email reachability. Mattia _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
