[OpenID] [oauth] Re: Replacing email verification with RSS 'push' feeds and OAuth
mart at degeneration.co.uk
Wed Apr 8 04:33:10 UTC 2009
Breno de Medeiros wrote:
> Clearly, because of spam and other security issues, RPs cannot accept
> email claims from any OP. The fact that the domain name and email
> address match is not sufficient because it is often the case that an
> email domain and an HTTP domain do not match. It is also too
> restrictive a strategy because it prevents using OPs that are not
> email providers (but that could otherwise be trusted to verify such
I agree with everything you said, but I just wanted to take a step back
and talk about what you said above...
In theory, with a suitable discovery mechanism that asks the right party
(either the mail service itself -- which is unlikely -- or at least the
DNS), you *can* allow assertions directly about email addresses without
Of course, the two major problems with that are:
* It's not HTTP, and therefore it excludes anyone that's not an uber-nerd.
* It only verifies that the email address is "owned" by the logged in
user as far as the OP is concerned. It doesn't actually verify that the
address is capable of recieving mail nor that mail recieved will
actually go to the right human user.
The two main reasons to require an email address that can accept mail
are to allow you to send the user unwanted mail (if the user wanted the
mail he wouldn't be going out of his way to give you a false email
address) or as an obstacle against automated registrations (which has
been proven ineffective with current spambot technology).
The first of these reasons is user-hostile and the second is largely moot.
Of course, I don't have a solution to the "It's not HTTP" problem.
And with all that said, I would love to see a mechanism for my OpenID
provider to accept messages on my behalf. Years ago I specced out a
protocol simply called "Send a Message Protocol" which was intended to
solve this problem, but it was never migrated from the old OpenID wiki
and I don't know how to get to the old OpenID wiki. It was a pretty
straightforward protocol anyway, and now that OAuth is a standard (which
it wasn't at the time) it ought to be even simpler.
More information about the general