[OpenID] An alternative OpenID UX

Rabbit rabbit at cyberpunkrock.com
Tue Apr 14 21:57:05 UTC 2009

On Apr 14, 2009, at 5:11 PM, Martin Atkins wrote:
> * RPs presumably want to create a good user experience, so they're  
> under pressure to accept login from popular OPs that their users are  
> likely to use. In particular, it's unlikely that any RP would  
> deliberately exclude Google, Yahoo!, Microsoft and so forth. Since  
> most users are going to be using a large provider, most users  
> wouldn't be affected by such whitelisting.

Which also presents a problem when the RP wants to require a policy  
that the big players don't follow. Seems to me policy requirements  
should be relaxed upon entry and rely upon out-of-band solutions to  
pick up where policy compliance left off. In the verified e-mail  
example, the RP can trust that certain OPs have supplied a verified e- 
mail while for others the User is shown "You're e-mail must be  
verified. Click here" but in both cases, the User is still allowed to  
choose their OP. This is analogous to progressive enhancement  
techniques employed in web design.


More information about the general mailing list