[PROPOSAL] Handle "http://user at example.com" Style Identifiers

George Fletcher gffletch at aol.com
Sun Oct 22 23:48:33 UTC 2006 


Dick Hardt wrote:
>
> On 20-Oct-06, at 10:14 AM, George Fletcher wrote:
>>
>> Of course, my expectation is that this syntax would be optional; the 
>> user can always specify their full URI identifier.
>>
>> I agree that this kind of an identifier is not portable, but I'm 
>> guessing that most users wouldn't know how to tweak their blog to add 
>> the necessary OpenID 1.1 HTML code to change their IDP.  Most users, 
>> just use flickr for photos and if flickr supported OpenID, could 
>> potentially use some URI defined for them by flickr as an OpenID 
>> identifier.  This identifier from flickr would not be very easily 
>> portable.
>
> My understanding of the proposal from David was that this was a way to 
> discover the user's IdP, not that the email was an identifier.
>
> -- Dick
>
Sorry to imply that email should be a valid identifier.  That wasn't my 
intent.  I'm fine with where this discussion is headed (and has headed 
in the past; after reading the old threads).  For wide spread adoption 
it will be very important to have a "If you're not sure what to enter, 
click here" link on the login form to try and explain to users what they 
might be able to try as identifiers.

My comment was really trying to speak to the issue of identifier 
portability.  Is there an OpenID definition for this?

If I have an OpenID provided by SomeSite as http://george.somesite.com, 
then how is that identifier portable?  For it to be portable, 
somesite.com would have to allow me to either (a) change the HTML code 
of my "public page" (though if I read the draft 2.0 spec correctly, the 
HTML method is deprecated) or (b) provide some mechanism where I could 
change the IDP service URL returned in the XRDS document.  If 
somesite.com does not provide either of these mechanisms, then this 
identifier is not "portable".  Also, the viability of my identifier may 
be dependent on the service. For instance, somesite.com may have a rule 
that says if I delete my SomeSite "account", then they will no longer 
authenticate my identifier. Of course, user choice always enters in and 
I can choose to not use that service as my OpenID identifier provider.

The "i-names" infrastructure does solve some of this by focusing on the 
identity management issues.  Though here I'm paying explicitly for this 
"portability" service (along with others).

Thanks,
George

P.S. Should this discussion get moved to the "general" list?

More information about the specs mailing list