[OpenID] About Facebook, MySpace and OpenID
mart at degeneration.co.uk
Fri Apr 3 20:42:13 UTC 2009
Eric Norman wrote:
> On Apr 3, 2009, at 11:33 AM, Brian Kissel wrote:
>> If all OPs would pass a verified email address (with end user consent)
>> I believe all RPs would certainly prefer it.
> Why would an RP consider an email address verified if it is supplied
> by an OP that is controlled by the user? Do you really expect an RP
> to consider an email address verified based on nothing more than the
> user's say-so?
The proposal that's been on the table but has gone quiet of late has two
* A protocol extension that allows an OP to signal that it has
verified the provided email address, for some definition of verified.
* A business deal or other kind of guarantee between the OP and the RP
that when the OP sets this flag the verification is sufficient for the
In other words, this is not a problem solved by technology alone.
The longer-term approach would be to make the email address itself be an
identifier, with assertions made by the email provider, though there is
still the debate about what exactly constitutes "validation" of an email
address. (Most RPs want to know not just that the person signing in owns
the email address but that the email address is able to receive mail.)
More information about the general