[OpenID] [oauth] Re: Replacing email verification with RSS 'push' feeds and OAuth

Martin Atkins mart at degeneration.co.uk
Wed Apr 8 04:33:10 UTC 2009


Breno de Medeiros wrote:
> Clearly, because of spam and other security issues, RPs cannot accept
> email claims from any OP. The fact that the domain name and email
> address match is not sufficient because it is often the case that an
> email domain and an HTTP domain do not match. It is also too
> restrictive a strategy because it prevents using OPs that are not
> email providers (but that could otherwise be trusted to verify such
> emails).
> 

I agree with everything you said, but I just wanted to take a step back 
and talk about what you said above...

In theory, with a suitable discovery mechanism that asks the right party 
(either the mail service itself -- which is unlikely -- or at least the 
DNS), you *can* allow assertions directly about email addresses without 
whitelisting.

Of course, the two major problems with that are:

* It's not HTTP, and therefore it excludes anyone that's not an uber-nerd.

* It only verifies that the email address is "owned" by the logged in 
user as far as the OP is concerned. It doesn't actually verify that the 
address is capable of recieving mail nor that mail recieved will 
actually go to the right human user.

The two main reasons to require an email address that can accept mail 
are to allow you to send the user unwanted mail (if the user wanted the 
mail he wouldn't be going out of his way to give you a false email 
address) or as an obstacle against automated registrations (which has 
been proven ineffective with current spambot technology).

The first of these reasons is user-hostile and the second is largely moot.

Of course, I don't have a solution to the "It's not HTTP" problem.

And with all that said, I would love to see a mechanism for my OpenID 
provider to accept messages on my behalf. Years ago I specced out a 
protocol simply called "Send a Message Protocol" which was intended to 
solve this problem, but it was never migrated from the old OpenID wiki 
and I don't know how to get to the old OpenID wiki. It was a pretty 
straightforward protocol anyway, and now that OAuth is a standard (which 
it wasn't at the time) it ought to be even simpler.





More information about the general mailing list