[OpenID] About Facebook, MySpace and OpenID
martin at paljak.pri.ee
Fri Apr 3 19:18:54 UTC 2009
On 03.04.2009, at 19:33, Brian Kissel wrote:
> At the Content Provider Advisory Committee we heard from several RPs
> that the most important data they wanted from OPs was email address,
> followed by age or date of birth for any sites that had COPPA
> compliance goals. Further, if the OP can pass a “verified” email
> address so that RPs don’t have to go through the 2 step registration
> dance of waiting for users to “verify” their email address, that
> improves registration success rate. There’s a big drop off from
> email registration due to verification emails going to spam folders
> or users just forgetting to go through the last step to verify an
> If all OPs would pass a verified email address (with end user
> consent) I believe all RPs would certainly prefer it.
I don't think it would work in the "open" context of OpenID unless the
e-mail domain shares the domain with the OP.
My theory as a RP goes like this:
- It is OK for me to accept *your* claim that provider X is good and
knows how to identify and authenticate you. I have nothing to lose
except that if you have chosen a bad provider, you might be vulnerable
to some hacks or so, but it is YOUR (or your RP-s) responsibility, not
- It is not OK for me to accept a claim about an e-mail address Y
from provider Z and accept it without any other, out of band
agreements or some CSP-s and validation like CA-s have. My service or
servers will be marked as spam sending servers if I receive garbage.
My service will be blaimed if for some reason you are not able to
receive e-mails from my service (not only does the verification e-mail
end up in spam folder but all real e-mails my service sends to you,
end up in the spam folder as you have not marked the initial
verification e-mail as ham)
As said before by someone else, it comes down to "trust issues" in the
protocol (not possible) vs establishing trust in the ecosystem
(possible, but methods vary).
Of course, for me the current CA business trust model is also broken,
> Brian Kissel
> Cell: 503.866.4424
> Fax: 503.296.5502
> From: general-bounces at openid.net [mailto:general-bounces at openid.net]
> On Behalf Of Andrew Arnott
> Sent: Friday, April 03, 2009 8:58 AM
> To: santrajan
> Cc: general at openid.net
> Subject: Re: [OpenID] About Facebook, MySpace and OpenID
> I really don't understand this obsession you have about how OpenID
> is a useless "extra step" without an email address being part of it.
> Any shopping mall web site that requires a login will need to take a
> username+password, plus email verification, or an OpenID, plus email
> verification. There's no extra step -- it's an exchange of one step
> for a different step. And yes, it absolutely makes sense to do this
> because customers won't have to create yet another username and
> I really don't care too much about jumping to my email client for an
> email verification step. I don't mind that. What I really mind is
> remembering another username and password because that lasts a long
> I'm not disagreeing that skipping email verification would be
> convenient, but geez, man, how long can you beat this dead horse?
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the
> death your right to say it." - Voltaire
> On Fri, Apr 3, 2009 at 8:43 AM, santrajan <santrajan at gmail.com> wrote:
> I am posting the full text of my blog post with the same subject here.
> MySpace recently announced there support for OpenID. The idea here
> is that
> MySpace users will be able to log in to third party sites with their
> Id's. MySpace users needn't get too exited about it too soon.
> Consider this. A MySpace user would like to log in to her favorite
> site with her MySpace Account. The shopping site is unlikely to
> MySpace Logins. The simple reason being that shopping sites need the
> addresses of their authenticated users for various reasons
> orders, delivery, new stock etc etc). It doesnt make sence to the
> site to authenticate using MySpace (An extra step) and then run the
> through another email verification process. This will also be true
> for many
> other web sites that require their users to login.
> However MySpace could have made the users email available to the
> site (Ofcource with the users consent only) via a provision in the
> specifications called SREG. So then why didnt MySpace choose to
> This is not a problem for MySpace alone. When Facebook decides to
> OpenID it will be faced with the same dilemma. It is really a
> thought for social networking sites to hand over their users email
> to a third party. For social networking sites keeping the users
> bound their
> network is of primary importance.
> However an equally frightening possibility for social networking
> sites is to
> see their users start using Google accounts and Yahoo accounts to
> log in
> into third party sites! They could start loosing users in that case
> The jury is out on what these guys should do.
> But I am clear on what MySpace should have done. Facebook being the
> no 1
> social networking site can wait this one out a bit more. However
> should really have capitalized on this opportunity. Supported SREG
> and tried
> to rope in third party sites to support MySpace logins, and tried to
> build a
> small advantage over Facebook on this account.
> View this message in context: http://www.nabble.com/About-Facebook%2C-MySpace-and-OpenID-tp22871070p22871070.html
> Sent from the OpenID - General mailing list archive at Nabble.com.
> general mailing list
> general at openid.net
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database 3985 (20090403) __________
> The message was checked by ESET NOD32 Antivirus.
> general mailing list
> general at openid.net
More information about the general