Map/Normalize Email Address to IdP/OP URL (Was [PROPOSAL] Handle "http://user at example.com" Style Identifiers)

David Fuelling sappenin at gmail.com
Fri Nov 10 03:18:53 UTC 2006


Hey David,

Thanks for your ideas.  Some more thoughts below.

> -----Original Message-----
> From: David Nicol [mailto:davidnicol at gmail.com]
> Sent: Thursday, November 09, 2006 6:49 PM
> To: David Fuelling
> Cc: Martin Atkins; specs at openid.net; general at openid.net
> Subject: Re: [PROPOSAL] Handle "http://user@example.com" Style Identifiers
> 
> On 11/9/06, David Nicol <davidnicol at gmail.com> wrote:
>  
> http://sappenin@gmail.com (cool addy, btw) certainly
> won't get anyone to David Fuelling's home page, now or in any likely
> future.
>

True, http://sappenin@gmail.com won't get anyone to my homepage...but it
would get me to my IdP (assuming Google was my IdP, and offered such a
scheme).

> Ideas:
> 
> (1) define a way to include an e-mail address among the things obtainable
> with an OpenID authentication, and a transform to provide a default when
> none is declared
> 

I think the OpenID Simple Registration Extension will provide for this (If I
understand what you're meaning)
http://openid.net/specs/openid-simple-registration-extension-1_0.html

> (2a) declare that OpenID does not do e-mail based authentication and never
> will
> 

I hope this can get some more debate in some form or fashion.
:)

> (2b) name some other mechanism for e-mail based authentication and include
> it by reference, blessing said method by so doing.
> 

I think that all this discussion about email userid is moving us off track.
My original proposal was that the email maps/normalizes to a URL of an IdP
(the userid is ignored/not used).

So, 'xyzzy at any.edu' would be treated as if the User had entered
'http://any.edu' (the URL of their IdP/OP) into the OpenId login form.
 
Once the user agent is redirected to the 'any.edu' IdP, the IdP would be
responsible for figuring out which user is trying to login to the IdP (this
is already allowed by OpenId since we can enter a homesite/IdP/OP URL into
the login form).  The OP might authenticate me by biometric (voice,
fingerprint, DNA Sample, etc), or some other scheme, making the username
portion of my email irrelevant.

Just to be clear, I'm **not** advocating that an email get transformed into
a URL that includes the userid of the email (although, I'd be open to
entertaining the notion).





More information about the specs mailing list