[PROPOSAL] Handle "http://user at example.com" Style Identifiers

David Fuelling sappenin at gmail.com
Wed Nov 8 18:55:37 UTC 2006


Hi Philip,

I'm not sure I understand "Please don't use HTTP this way".  

I was suggesting that the user enter an email address.  The RP then maps the
email address to a URL (which would be in the proper scheme).


> -----Original Message-----
> From: Hallam-Baker, Phillip [mailto:pbaker at verisign.com]
> Sent: Wednesday, November 08, 2006 1:45 PM
> To: David Fuelling; specs at openid.net
> Subject: RE: [PROPOSAL] Handle "http://user@example.com" Style Identifiers
> 
> Please don't use HTTP this way. That is not the semantics for http URLs.
> 
> A better scheme would be to use mailto:user at example.com or to define
> openid:user at example.com
> 
> 
> There are two issues here:
> 
> 1) The user presentation of the identifier
> 2) The machine presentation
> 
> The two do not need to be the same. www.cnn.com works perfectly well as a
> way to locate CNN. That is a perfectly acceptable user presentation. It is
> not an acceptable machine presentation and browsers SHOULD NOT accept
> href="www.cnn.com".
> 
> 
> 
> 
> > -----Original Message-----
> > From: specs-bounces at openid.net
> > [mailto:specs-bounces at openid.net] On Behalf Of David Fuelling
> > Sent: Wednesday, November 08, 2006 1:40 PM
> > To: specs at openid.net
> > Subject: RE: [PROPOSAL] Handle "http://user@example.com"
> > Style Identifiers
> >
> > Please see my questions/ideas enclosed...
> >
> > Thanks!
> >
> > David Fuelling
> >
> > > -----Original Message-----
> > > From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
> > > Behalf Of Drummond Reed
> > > Sent: Friday, October 20, 2006 1:04 AM
> > > To: 'Recordon, David'; specs at openid.net
> > > Subject: RE: [PROPOSAL] Handle "http://user@example.com" Style
> > > Identifiers
> > >
> > > There have been several long threads in the past about using email
> > > addresses as OpenID identifiers. The conclusion each time
> > has been to
> > avoid it. I don't remember all the arguments, but among them are:
> > >
> > > * Privacy: the last thing many users want to give a website
> > is their
> > > email address.
> >
> > This seems reasonable at first glance.  However, almost every
> > website I have a login with (today) requests my email address
> > so that the site can communicate with me electronically.
> >
> > So, if email addresses WERE used as an additional "login
> > input" for OpenId, a user who didn't want to use his/her
> > email address to login could always just use an IdP URL or
> > XRI instead (as they can today).
> >
> > Am I missing the privacy concern here?
> >
> > > * Reassignability: email addresses are not only
> > reassignable, but for
> > > some domains, they are notoriously short-lived identifiers.
> >
> > Is this really such a problem?  It seems to exist for URL's
> > in the current protocol proposal anyway.  For instance, most
> > people don't own a Domain, which means they'll be using
> > OpenID URL's that somebody else owns.  Thus, URL's are
> > reassignable too, and suffer from this in the same way
> > (although I don't really see this as a problem).
> >
> > > * Non-portability: unless you own the top-level domain, they aren't
> > > portable.
> >
> > Again, is this a problem if the email isn't the actual
> > identifier?  If we have a means of mapping an email to an
> > OpenID Identity URL, then if the email goes away (is
> > transferred or otherwise not in the control of the original
> > user), then what's the problem?
> >
> > Point 1.) Losing an email address is no different than the
> > case where a URL is lost/transferred/goes away.
> >
> > Point 2.) If a user "lost" his email address, theoretically
> > the owner of the email address (example.com, e.g.) would
> > remove the mapping from beth at example.com to beth's Identity
> > Provider URL.
> >
> > Point 3.) Even if the email address domain owner failed to
> > remove this mapping, only the end-user (beth in this case)
> > would be using the email to login.  Presumably, if she
> > switched email addresses, she would use her new address to
> > login, and it wouldn't matter.  Somebody else trying to use
> > her email address would need to login to the IdP, and
> > presumably be stopped there.
> >
> > > Food for thought...
> > >
> > > =Drummond
> >
> >
> > _______________________________________________
> > specs mailing list
> > specs at openid.net
> > http://openid.net/mailman/listinfo/specs
> >
> >




More information about the specs mailing list