[OpenID] About Facebook, MySpace and OpenID

Martin Atkins mart at degeneration.co.uk
Fri Apr 3 20:42:13 UTC 2009

Eric Norman wrote:
> On Apr 3, 2009, at 11:33 AM, Brian Kissel wrote:
>> If all OPs would pass a verified email address (with end user consent) 
>> I believe all RPs would certainly prefer it.
> Why would an RP consider an email address verified if it is supplied
> by an OP that is controlled by the user?  Do you really expect an RP
> to consider an email address verified based on nothing more than the
> user's say-so?

The proposal that's been on the table but has gone quiet of late has two 

  * A protocol extension that allows an OP to signal that it has 
verified the provided email address, for some definition of verified.

  * A business deal or other kind of guarantee between the OP and the RP 
that when the OP sets this flag the verification is sufficient for the 
RP's needs.

In other words, this is not a problem solved by technology alone.

The longer-term approach would be to make the email address itself be an 
identifier, with assertions made by the email provider, though there is 
still the debate about what exactly constitutes "validation" of an email 
address. (Most RPs want to know not just that the person signing in owns 
the email address but that the email address is able to receive mail.)

More information about the general mailing list