I’m making an extension. I set its ID to an email address I own and created specifically for this extension. But before I could get it registered, a user did it by accident. Now I can’t use my own address as its ID.
There really should be some sort of verification in this process, when the ID looks like an email address, to confirm that the person actually owns the address they’re claiming.
I’d like to claim my ID (and address), but I see a bunch of other support requests saying that’s not possible. The ID (and address) is just permanently burned, forever. But I hope to at least prevent others from running into similar issues, and prevent potential attacks where people cause trouble for a target by claiming their target’s address-style IDs. It shouldn’t be possible to register an extension with an address-style ID without confirming that you own that address.
Could you validate email-style IDs so they can’t be hijacked?
I don’t work at Mozilla, but to throw in my 2 cents I don’t think this is likely. It would take a good amount of engineer work to build out such a system, and it would also likely require periodic revalidation of the email address’ ownership. If individual extensions were to be tied to an external concept like an email address or domain, it would probably be better to use the existing DNS or Public Key Infrastructure (PKI) rather than standing up a parallel, bespoke system.
The problems you mentioned related to confusion around email address ownership and extension ownership are exactly why Mozilla updated add-on ID documentation to use “@addon-example” style IDs rather than the email address style. If you are able to find docs that suggest or imply using an email format, I’d encourage you to create a documentation bug for that page.