2019-02-28 UTC
# 
fr33domlover cjslep[m], (3) Suppose you give user john@doe.com edit access to your file. Suppose for a moment, the way you identify joe is by his public key, using HTTP signatures. Now imagine the server at doe.com shuts down, and the domain is expired. Now I, an attacker, rent doe.com, create a user named joe and try to make malicious commits to your file. How does your server know I'm not the original john@doe.com?