[PROPOSAL] Handle "http://user at example.com" Style Identifiers

[Dick Hardt]

On 22-Oct-06, at 11:44 AM, Praveen Alavilli wrote:
> It's more of a problem with how we can accept 3rd party OpenId  
> users at AOL (we as an RP). Obviously for simple use cases like  
> leaving comments on blogs it wouldn't really matter as long as the  
> user is identified by someone (and someone doing rate limiting or  
> something else to prevent spamming - otherwise I still can't see  
> how it reduces spam anyway) - but when we want to take it to the  
> next level - provide more services to these users (photos/calendar/ 
> etc.. ) we want to limit it to only a few IDPs whom we trust. (due  
> to both security and business reasons). So this is the problem we  
> are trying to figure out how we can message the users that we  
> support OpenIds from certain providers (say Verisign PIP) but not  
> from all. Obviously we can just follow the existing model of a free  
> form field that says "Enter your OpenId" but most of the time we  
> will end up failing the users saying "we don't accept your OpenId".  
> Just bad user experience in our opinion. So instead we want to  
> somehow message the user saying these are the only IDPs we trust -  
> whether showing a drop down list of IDPs on the login form or  
> something else, we want to see a standard way of doing it so user's  
> don't feel like they are in an alien world from one RP to another  
> (ofcourse keeping aside the phishing issues). We totally agree that  
> adding another option to the already confusing list of account  
> types is a bad idea.

OpenID Authentication allows you to know it is the same user that you  
saw last time. In many ways, it is an automated mechanism for public  
sites that allow anyone to create an account by selecting a username  
and a password. Limiting users to come from only a small set of IdPs  
is like limiting which ISPs can connect to your website -- it is not  
the user-centric model.

For example, if you have not seen an identifier before, you may  
require them to enter a captcha. When you see them again, and if they  
did not do something *bad*, then you may not need to prompt them for  
the *captcha* again.

What is different with OpenID vs email is that there is certainty  
that the user actually is the user. With email, there is no certainty  
that the from: field really is who sent the message, which is what a  
number of protocols in the SMTP world are working to resolve.. Just  
like in the battle with spam, once you have the identity of the user,  
then you can have 3rd party assertions from someone you trust (if  
needed) to have more data about the user.

For example, there may be a service provider that asserts that a  
given identifier belongs to a user that has a *good* reputation.

-- Dick