[OpenID] FW: PROPOSAL: An Extension to transform an EMail Addressto an OpenId URL

David Fuelling sappenin at gmail.com
Sun Feb 11 04:22:57 UTC 2007

> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Eric Norman
> The other vital property of URL based schemes in addition to
> resolvability
> is that "ownership" can be confirmed.  Email addresses are indeed
> resolvable in the sense detailed here.  Furthermore, ownership can also
> be
> confirmed at some level of assurance by the often used technique of
> sending
> something to the alleged email address and seeing if it can be read.
> However, I think a significant factor is whether this can be done
> quickly
> enough and with few enough tasks for the user such that it's acceptable
> as
> a login process.  Isn't that the real reason for the first/second class
> citizen distinction?

Proof of email address ownership is another interesting "fallout" of my
Email mapping proposal.  For example, we know that example.com controls the
email address "beth at example.com" since the domains are the same.  If that
email address easily resolves to a URL in the example.com domain (e.g.,
http://beth.example.com) via Yadis and some transform procedure, then this
in itself is enough to prove that the person who controls that OpenId URL
http://beth.example.com also controls the email address beth at example.com (or
else, somebody mis-configured something at example.com).  ;)

Now, imagine that beth at example.com resolves to (via the Yadis document at
example.com) the URL http://somethingelse.myopenid.com .  Now, simply by
traversing the email-to-Yadis-to-URL path, we can actually verify that a
given email address is owned by a given OpenId.

This could theoretically work the other way, too.  Imagine somebody logging
into an RP with the following OpenId: http://beth.exampleidp.com.  Using
Attribute Exchange, beth instructs her OP to release her email
(beth at example.org).  The RP can then perform an email transform to validate
that beth at example.org actually maps to the OpenId Url that she provides.  If
it doesn't, then maybe the RP falls back on "click this link in an email" to
verify that the beth who controls that OpenId actually controls that email.

Once we have a mechanism to map an email to an OpenId, some very cool
verifications are enabled which are ostensibly much more secure than
traditional "we just sent you an email that you need to confirm", which is
not the most secure way to verify an email address.

I still don't know if this is grounds enough to promote email addresses to
first class OpenId citizens, but it's a cool consequence nonetheless.


More information about the general mailing list