[PROPOSAL] Handle "http://user at example.com" Style Identifiers

Hallam-Baker, Phillip pbaker at verisign.com
Wed Nov 8 18:45:04 UTC 2006


Please don't use HTTP this way. That is not the semantics for http URLs.

A better scheme would be to use mailto:user at example.com or to define openid:user at example.com


There are two issues here:

1) The user presentation of the identifier
2) The machine presentation

The two do not need to be the same. www.cnn.com works perfectly well as a way to locate CNN. That is a perfectly acceptable user presentation. It is not an acceptable machine presentation and browsers SHOULD NOT accept href="www.cnn.com".


 

> -----Original Message-----
> From: specs-bounces at openid.net 
> [mailto:specs-bounces at openid.net] On Behalf Of David Fuelling
> Sent: Wednesday, November 08, 2006 1:40 PM
> To: specs at openid.net
> Subject: RE: [PROPOSAL] Handle "http://user@example.com" 
> Style Identifiers
> 
> Please see my questions/ideas enclosed...
> 
> Thanks!
> 
> David Fuelling
> 
> > -----Original Message-----
> > From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On 
> > Behalf Of Drummond Reed
> > Sent: Friday, October 20, 2006 1:04 AM
> > To: 'Recordon, David'; specs at openid.net
> > Subject: RE: [PROPOSAL] Handle "http://user@example.com" Style 
> > Identifiers
> > 
> > There have been several long threads in the past about using email 
> > addresses as OpenID identifiers. The conclusion each time 
> has been to
> avoid it. I don't remember all the arguments, but among them are:
> > 
> > * Privacy: the last thing many users want to give a website 
> is their 
> > email address.
> 
> This seems reasonable at first glance.  However, almost every 
> website I have a login with (today) requests my email address 
> so that the site can communicate with me electronically.  
> 
> So, if email addresses WERE used as an additional "login 
> input" for OpenId, a user who didn't want to use his/her 
> email address to login could always just use an IdP URL or 
> XRI instead (as they can today).
> 
> Am I missing the privacy concern here?  
> 
> > * Reassignability: email addresses are not only 
> reassignable, but for 
> > some domains, they are notoriously short-lived identifiers.
> 
> Is this really such a problem?  It seems to exist for URL's 
> in the current protocol proposal anyway.  For instance, most 
> people don't own a Domain, which means they'll be using 
> OpenID URL's that somebody else owns.  Thus, URL's are 
> reassignable too, and suffer from this in the same way 
> (although I don't really see this as a problem).
> 
> > * Non-portability: unless you own the top-level domain, they aren't 
> > portable.
> 
> Again, is this a problem if the email isn't the actual 
> identifier?  If we have a means of mapping an email to an 
> OpenID Identity URL, then if the email goes away (is 
> transferred or otherwise not in the control of the original 
> user), then what's the problem?
> 
> Point 1.) Losing an email address is no different than the 
> case where a URL is lost/transferred/goes away.
> 
> Point 2.) If a user "lost" his email address, theoretically 
> the owner of the email address (example.com, e.g.) would 
> remove the mapping from beth at example.com to beth's Identity 
> Provider URL.
> 
> Point 3.) Even if the email address domain owner failed to 
> remove this mapping, only the end-user (beth in this case) 
> would be using the email to login.  Presumably, if she 
> switched email addresses, she would use her new address to 
> login, and it wouldn't matter.  Somebody else trying to use 
> her email address would need to login to the IdP, and 
> presumably be stopped there.
> 
> > Food for thought...
> > 
> > =Drummond
> 
> 
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
> 
> 



More information about the specs mailing list