[PROPOSAL] Handle "http://user at example.com" Style Identifiers

David Fuelling sappenin at gmail.com
Wed Nov 8 18:39:58 UTC 2006 

Please see my questions/ideas enclosed...

Thanks!

David Fuelling

> -----Original Message-----
> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
> Of Drummond Reed
> Sent: Friday, October 20, 2006 1:04 AM
> To: 'Recordon, David'; specs at openid.net
> Subject: RE: [PROPOSAL] Handle "http://user@example.com" Style Identifiers
> 
> There have been several long threads in the past about using email
> addresses as OpenID identifiers. The conclusion each time has been to
avoid it. I don't remember all the arguments, but among them are:
> 
> * Privacy: the last thing many users want to give a website is their email
> address.

This seems reasonable at first glance.  However, almost every website I have
a login with (today) requests my email address so that the site can
communicate with me electronically.  

So, if email addresses WERE used as an additional "login input" for OpenId,
a user who didn't want to use his/her email address to login could always
just use an IdP URL or XRI instead (as they can today).

Am I missing the privacy concern here?  

> * Reassignability: email addresses are not only reassignable, but for some
> domains, they are notoriously short-lived identifiers.

Is this really such a problem?  It seems to exist for URL's in the current
protocol proposal anyway.  For instance, most people don't own a Domain,
which means they'll be using OpenID URL's that somebody else owns.  Thus,
URL's are reassignable too, and suffer from this in the same way (although I
don't really see this as a problem).

> * Non-portability: unless you own the top-level domain, they aren't
> portable.

Again, is this a problem if the email isn't the actual identifier?  If we
have a means of mapping an email to an OpenID Identity URL, then if the
email goes away (is transferred or otherwise not in the control of the
original user), then what's the problem?

Point 1.) Losing an email address is no different than the case where a URL
is lost/transferred/goes away.

Point 2.) If a user "lost" his email address, theoretically the owner of the
email address (example.com, e.g.) would remove the mapping from
beth at example.com to beth's Identity Provider URL.

Point 3.) Even if the email address domain owner failed to remove this
mapping, only the end-user (beth in this case) would be using the email to
login.  Presumably, if she switched email addresses, she would use her new
address to login, and it wouldn't matter.  Somebody else trying to use her
email address would need to login to the IdP, and presumably be stopped
there.

> Food for thought...
> 
> =Drummond

More information about the specs mailing list