[OpenID] FW: PROPOSAL: An Extension to transform an EMail Addressto an OpenId URL

David Fuelling sappenin at gmail.com
Mon Feb 12 03:23:57 UTC 2007


> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Claus Färber
> 
> David Fuelling schrieb:
>> Proof of email address ownership is another interesting "fallout" of my
>> Email mapping proposal.  For example, we know that example.com controls
>> the email address "beth at example.com" since the domains are the same.  If
>> that email address easily resolves to a URL in the example.com domain
>> (e.g., http://beth.example.com) via Yadis and some transform procedure, 
>> then this in itself is enough to prove that the person who controls that 
>> OpenId URL http://beth.example.com also controls the email address 
>> beth at example.com (or else, somebody mis-configured something at 
>> example.com).  ;)
> 
> No, it's proof that a person who controls beth at example.com authorised
> persons in control of http://beth.example.com. It is NOT proof that
> persons who control http://beth.example.com have any control over the
> address beth at example.com.

I'm not sure I follow you here.  Whichever administrator controls the
example.com domain should be in control of the URL's and the email addresses
that sit in the example.com domain.  

> 
> E.g. http://beth.example.com <=> abeth at example.com (Alice Beth)
>       http://eth.example.com <=> beth at example.com (Bob Eth)
> If the owner of example.com let's the users define the mapping for their
> email address, Bob could not only claim http://bob-eth.otherisp.example
> but also Alice's http://beth.example.com URL.

Yes, but that's not what I was envisioning.  For this to work, the domain
owner (whomever controls example.com) would need to specify a mapping in a
Yadis/XRDS document accessible at the root of example.com.  Users would
either have the choice of using that mapping, or advertising a delegation.

For example beth at example.com resolves to http://example.com for discovery
(via my mapping extension), which results in an XRDS doc that contains an
Email Transform Template: 

<Service xmlns="xri://$xrd*($v*2.0)">
  <Type>http://openid.net/srv/oeat/1.0/ett</Type>
  <URI>https://[username].example.com/</URI>
</Service>

RP's see this and know how to get the OpenId URL that maps to
beth at example.com (i.e., http://beth.example.com).  

The rest is handled by OpenId Auth 2.0 today.  For example, the RP then
performs discovery on http://beth.example.com to see if that URL is
delegating to a different domain of if that URL uses some link at
example.com as an IdP.  For example, the discovered Yadis/XRDS doc
accessible at http://beth.example.com might contain the following, which
would delegate to sappenin.com:

<Service xmlns="xri://$xrd*($v*2.0)">
  <Type> http://specs.openid.net/auth/2.0/signon</Type>
  <URI>http://beth.sappenin.com</URI>
</Service>

There is now a direct link that proves whomever utilizes/controls
http://beth.sappenin.com is the one who owns/controls beth at example.com.





More information about the general mailing list