[OpenID] Relationship of OpenID URLs and e-mail addresses

frumioj at mac.com frumioj at mac.com
Tue Apr 3 17:46:58 UTC 2007 

Granqvist, Hans wrote:
> Some kinds of schemes work (one way hashes of email address for example)
> but users would indeed reject those since they'd want the same handle.
> 
> I think your spamming fear is abit overrated. There are so many email
> addresses available to use for spammers already.

Imagine that OpenID were to provide a canonical mapping of OpenIDs to
email addresses supported by all OPs. Wouldn't that at least /seem/ to
increase the possibility of spam by giving a nice single
machine-processable algorithm?

> 
> Since the email addresses are all on your domain your best bet would be
> to go with the flow and get a good spam wall up. . . ?

If you're serious about not contributing to spam, then you might want to
think about the following:

i) There should be no standardized canonical mapping from email
addresses to OpenIDs. Each OP should be free to implement his or her own
mapping, and/or delegate this operation to his or her users.
ii) Of course, the problem with URL identifiers is that they tend not to
be secret and they need to be human-readable. Email addresses are
assumed to be shared only with the group of people with whom one wishes
to exchange email. If your OpenID were only shared with those with whom
you wished to receive email (just like your email address) then there
would be no additional contribution to spamming. But users usually need
to understand and know their OpenIDs to type them in at their OP...
Perhaps additional means of discovery that didn't involve users typing
an OpenID might be useful?

Might there be room to write some guidelines for the generation of
OpenIDs given that there are quite a few OpenID URLs being produced
these days?

Regards,

- John
> 
> 
> 
> Sent by GoodLink (www.good.com)
> 
> 
>  -----Original Message-----
> From:   Johannes Ernst [mailto:jernst+openid.net at netmesh.us]
> Sent:   Tuesday, April 03, 2007 10:01 AM Pacific Standard Time
> To:     openid-general
> Subject:        [OpenID] Relationship of OpenID URLs and e-mail addresses
> 
> Assume you are hosting millions of e-mail addresses for your 
> customers, like
>      <username>@example.com.
> Now you decide to also become an OpenID Provider for your customers.
> 
> It would be straightforward to automatically create an OpenID for 
> each of your users, e.g. like
>      http://openid.example.com/<username>
> 
> Every spammer in the world will realize that this is how the scheme 
> works, and they will harvest all URLs on the net that start with 
> http://openid.example.com and spam the heck out of your users. Right?
> 
> However, having different <username> components for e-mail and OpenID 
> is more complex (e.g. how do I explain this to mass-market customers? 
> How many users will bother to pick a new handle for their OpenID?)
> 
> Does anybody have any ideas how to best solve this conundrum?
> 
> 
> 
> Johannes Ernst
> NetMesh Inc.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list