--On Wednesday, September 26, 2018 17:00 +0200 Henrik Levkowetz <henrik@xxxxxxxxxxxxx> wrote: > Hi John, > > On 2018-09-26 16:35, John C Klensin wrote: >> Henrik, >> >> Two observations, the first in the "in case we ever need to do >> something like this again" category. >> >> First, I'm glad it is possible to do this by logging into >> one's account. Giving phishing concerns, it would be good to >> include an explicit instruction in the note that, as an >> alternative to clicking links in an email message, one can do >> that. Perhaps not a big deal and almost certainly not worth >> going back and trying to re-doing things at this point, but >> worth keeping in mind as good practice. > > Good point. We'll be repeating the consent request to people > who have not given it before the deadline; in order to do > better next time I've added this at the end of the email > template: > > In case you prefer to not follow any email links, due to > phishing considerations, please just go to the datatracker > and use the menu entries to log in or check the help pages > The links above are provided for your convenience, but it > works just as well to go the datracker manually and do > what's needed. > > (Thoughts on the wording are welcome.) I think that is excellent. Three small editorial suggestions: (i) drop "any" from "any email links". It isn't the point. (ii) add "with any of your identities" to "to log in". (iii) Do you want to point people to help pages or more directly to their profiles? By the way, while I think the IETF should be setting an extra-good example, the fact that the links in the message are pointing to datatracker.ietf.org and not, e.g., to www.random-site.example does provide moderately good assurance that nothing evil is going on... to the point that this is a bit of a tempest in a teapot. So, while I think the above is a good idea, I also think that strong criticisms for you for not including it would be a bit out of line. >... >> I got a large number of messages, some addressed to addresses >> that probably appear in RFCs but that I have not actively used >> in a decade or two. My plan had been to respond only to the >> one associated with the address I now use in the tracker and >> just let the automated processes clear the others as offered/ >> threatened. >... > You only need to do one login, and check one personal > information page; that page will list all the email addresses > associated with you and your drafts. You will be able to mark > any of them which are not in active use as not active. Giving > consent to storing your information will leave all records > intact, but email addresses which are not marked active will > not be used to try to contact you, but only for internal > linkage to document author records and similar. > > I hope that answers your question? Together with Robert's response, it does. FYI, I was interested in another case, which is that the RFC Editor database contains an (entirely appropriate warning) about old addresses not working (that warning might be in the datatracker too.. don't remember). If someone is trying to contact, e.g., a document author, knowing the mapping from older to a current/primary addresses would be a significant benefit, at least if the information is sufficiently controlled. But that is really a different problem for a different day. best regards, john
