On Mon, Dec 22, 2014 at 4:18 AM, Tarek Ziade <[email protected]> wrote: > > > > On Mon, Dec 22, 2014 at 6:54 AM, Ryan Kelly <[email protected]> wrote: > [..] > >> >> 3) "Bob forgot his password, so you've last access to that data" >> >> This is completely unacceptable :-) >> > > > Not sure about this one. That really depends on the context. For example: > > Someone steals Bob's laptop and sends an encrypted message to Sarah. Bob > changes his FxA credentials on his second device. > > Bob wants to revoke any data encrypted with the laptop. > > > >
Explicit revocation is different from “revocation as a surprising side of effect of doing something else that’s not obviously going to trigger revocation”. Ryan’s point is that password reset could easily fall into the latter type if we’re not careful. -chris > > > > >> >> >> Cheers, >> >> Ryan >> > >
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
