[PROPOSAL] Handle "http://user at example.com" Style Identifiers
George Fletcher
gffletch at aol.com
Mon Oct 23 00:05:05 UTC 2006
Dick Hardt wrote:
> What is different with OpenID vs email is that there is certainty
> that the user actually is the user.
>
I'm a little confused. How is there certainty that "the user actually
is the user"? The viability of the identifier representing the same
user is dependent on the OpenID provider not recycling identifiers. Or
did you just mean that in email, authentication is not always required
for someone to use an email identifier?
Note that the OpenID protocol does not prevent idp.spammers.com from
allowing any identifier to be used and "authenticated" regardless of
whether it's the same user or not. It is incumbent on the relying
parties to determine if they will allow identifiers authenticated by a
particular idp.
Thanks,
George
More information about the specs
mailing list