[PROPOSAL] Handle "http://user at example.com" Style Identifiers
Hallam-Baker, Phillip
pbaker at verisign.com
Wed Nov 8 18:45:04 UTC 2006
Please don't use HTTP this way. That is not the semantics for http URLs.
A better scheme would be to use mailto:user at example.com or to define openid:user at example.com
There are two issues here:
1) The user presentation of the identifier
2) The machine presentation
The two do not need to be the same. www.cnn.com works perfectly well as a way to locate CNN. That is a perfectly acceptable user presentation. It is not an acceptable machine presentation and browsers SHOULD NOT accept href="www.cnn.com".
> -----Original Message-----
> From: specs-bounces at openid.net
> [mailto:specs-bounces at openid.net] On Behalf Of David Fuelling
> Sent: Wednesday, November 08, 2006 1:40 PM
> To: specs at openid.net
> Subject: RE: [PROPOSAL] Handle "http://user@example.com"
> Style Identifiers
>
> Please see my questions/ideas enclosed...
>
> Thanks!
>
> David Fuelling
>
> > -----Original Message-----
> > From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
> > Behalf Of Drummond Reed
> > Sent: Friday, October 20, 2006 1:04 AM
> > To: 'Recordon, David'; specs at openid.net
> > Subject: RE: [PROPOSAL] Handle "http://user@example.com" Style
> > Identifiers
> >
> > There have been several long threads in the past about using email
> > addresses as OpenID identifiers. The conclusion each time
> has been to
> avoid it. I don't remember all the arguments, but among them are:
> >
> > * Privacy: the last thing many users want to give a website
> is their
> > email address.
>
> This seems reasonable at first glance. However, almost every
> website I have a login with (today) requests my email address
> so that the site can communicate with me electronically.
>
> So, if email addresses WERE used as an additional "login
> input" for OpenId, a user who didn't want to use his/her
> email address to login could always just use an IdP URL or
> XRI instead (as they can today).
>
> Am I missing the privacy concern here?
>
> > * Reassignability: email addresses are not only
> reassignable, but for
> > some domains, they are notoriously short-lived identifiers.
>
> Is this really such a problem? It seems to exist for URL's
> in the current protocol proposal anyway. For instance, most
> people don't own a Domain, which means they'll be using
> OpenID URL's that somebody else owns. Thus, URL's are
> reassignable too, and suffer from this in the same way
> (although I don't really see this as a problem).
>
> > * Non-portability: unless you own the top-level domain, they aren't
> > portable.
>
> Again, is this a problem if the email isn't the actual
> identifier? If we have a means of mapping an email to an
> OpenID Identity URL, then if the email goes away (is
> transferred or otherwise not in the control of the original
> user), then what's the problem?
>
> Point 1.) Losing an email address is no different than the
> case where a URL is lost/transferred/goes away.
>
> Point 2.) If a user "lost" his email address, theoretically
> the owner of the email address (example.com, e.g.) would
> remove the mapping from beth at example.com to beth's Identity
> Provider URL.
>
> Point 3.) Even if the email address domain owner failed to
> remove this mapping, only the end-user (beth in this case)
> would be using the email to login. Presumably, if she
> switched email addresses, she would use her new address to
> login, and it wouldn't matter. Somebody else trying to use
> her email address would need to login to the IdP, and
> presumably be stopped there.
>
> > Food for thought...
> >
> > =Drummond
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>
More information about the specs
mailing list