We're currently downcasing email addresses, but doing it too late in the auth cycle. This means that a user can first assert FOO@example.com, but will subsequently assert firstname.lastname@example.org.
(It's not really gone; it's just stored under FOO@example.com, which you can't assert again until you sign out of browserid.org.)
RFC 2821 explicitly states that "the local-part of a mailbox MUST BE treated as case sensitive," but discourages hosts from actually creating case-sensitive mailboxes. It'd probably be best to take a similar approach and preserve the case that the user initially gives us, but allow them to log into browserid.org in a case-insensitive manner.
For a concrete example, say:
Thus, the user always asserts the same casing, but can log in to browserid.org without worrying about case.
This deviates from the RFC for the sake of easing a common use case. We're letting users elect to present themselves with whatever casing they want (since it might be important), but assuming that no two people will have email addresses that differ only by case. This lets us automatically correct for typos when a user is logging into browserid.org.
We can further tweak this solution if it becomes problematic down the line.
This issue might also be relevant for #1104, #1328, and #1294.
Case sensitivity was brought up on the mailing list.
We also talked about this on IRC.
we should close down the other issues we have around email case and point them here
technically you probaly don't want to use email addresses but acct: URIs https://tools.ietf.org/html/draft-saintandre-acct-uri-01 (basically email addresses but can't necessarily receive email eg acct:email@example.com exists mailto:firstname.lastname@example.org does not
There might be enough time to wrestle them into having a stricter definition than:
acctURI = "acct:" userpart "@" host
userpart = 1*( unreserved / pct-encoded / sub-delims )
Testcase - https://moztrap.mozilla.org/manage/caseversion/3563/
Added the label...
That test case redirects me to /, is that intentional?
@graingert what do you mean?
Clicking the link above redirects you to "/" (whether or not you are already signed into MozTrap)?
Or the steps redirect you to "/"?
I have not seeing any issues.
@jbonacci this: Clicking the link above redirects you to "/" (whether or not you are already signed into MozTrap)?
@graingert - that is odd behavior, and unexpected... and, I can not duplicate it!
@csuciu and @jrgm can you try to duplicate this incorrect redirect?
If not logged in, I am challenged, and on completion of that, I get redirected to / and that redirects to /runtests
If already logged in, https://moztrap.mozilla.org/manage/caseversion/3563/ redirects to / and that redirects to /runtests
This is probably a permissions thing.
ah it should be a 403 not a 302 ?
Have these been solved?
Closing as we use the initial email address that the user types as the canonical email address. If the user returns and types in the same email address with different casing, the original email address, with the original casing, will be used instead.