Yahoo: FIX where someone@yahoo.com is also someone@yahoo-by-a-different-domain-name.tld

[chemistrydioxide]

Same as #176 and #175 but this time for Yahoo. Related to #133.

Yahoo doesn't allow several email addresses with the same local part and different domain names to coexist on their system as this would lead to a collision on the Yahoo Messenger system where only the local part of an email address is used to identify a user rather than the full email address.

[ozten]

How does this break Persona, or what is the issue? What would be the expected behavior?

Note: I've asked the same question in #175.

[callahad]

See the response in #175. In brief, BigTent needs to accept OpenID attesting to user@other-domain.tld as proof of user@yahoo.com, if the two are equivalent to Yahoo.

[lloyd]

We have evidence that 20% of failures to log in with yahoo email addresses are because of this issue.

[lloyd]

I enumerated them! I used wikipedia! http://en.wikipedia.org/wiki/Yahoo!_Mail#Email_domains

[lloyd]

also http://en.wikipedia.org/wiki/Yahoo!_Mail#Ymail_and_Rocketmail

[callahad]

Things I would like to know:

• Is there actually a single namespace for usernames @yahoo.tld? Yes.
  • If I sign up for @yahoo.com, can someone else sign up for @yahoo.ccTLD? No.
  • If I sign up for @yahoo.ccTLD, can someone else sign up for @yahoo.com? No.
• Will account@yahoo.ccTLD receive mail sent to account@yahoo.com?
  • No. Even though the usernames exist in a common namespace, mail to unrelated TLDs is rejected by Yahoo's mail daemon.

[callahad]

Also, ymali and rocketmail are both distinct, independent namespaces.

[callahad]

Experimental summary:

I registered enduser815@yahoo.co.uk. I can receive mail at that address. Mail sent to any other TLD (yahoo.com, yahoo.co.nz, yahoo.ca) bounces.

I can log into Yahoo itself by typing enduser815@<any-yahoo-mail-domain> and my password.

I can log into Yahoo itself by only typing enduser815 and my password.

So as a Yahoo user, Yahoo doesn't care what I type when I want to log into Yahoo. But it does care what is typed when people try to send me email.

[callahad]

Because Yahoo does not treat TLDs interchangeably for mail, then our treating them as interchangeable seems odd.

Specifically, if we implement this proposal, we will begin vouching for addresses that would never be vouched for by our Fallback.

Instead, I propose that we fix #186 and turn on BigTent for the Yahoo Mail domains listed on Wikipedia.

[karlht]

Can you log into Yahoo itself using enduser8a5@whitehouse.gov? i.e. Is Yahoo login simply truncating the domain name entirely?

[callahad]

@karlht No. If you use a non-yahoo domain, or use ymail or rocketmail, you get an error and a prompt to create an account instead.

[callahad]

Or at least, I'd strongly urge us to fix #186 as a first course of action, regardless.

[ozten]

Can you log into Yahoo itself using enduser8a5@whitehouse.gov?

Good security question, but a user would never get delegated to BigTent for whitehouse.gov. Or at least not until Obama wants our help ;)

[callahad]

Summary of my opposition: Implementing domain equivalency in Yahoo BigTent means issuing certificates to people for addresses that they neither control nor have access to.

[callahad]

From looking at a snapshot of mismatched address failures, grouped by claimed identity:

• 60% are caused by aliases.
• 21% are caused by typos.
• 19% are caused by mismatched domains.

Resolving #186 would allow at least 40% of users (typos and mismatched domains) to self-rescue.