[PROPOSAL] Handle "http://user at example.com" Style Identifiers

George Fletcher gffletch at aol.com
Mon Oct 23 00:05:05 UTC 2006



Dick Hardt wrote:
> What is different with OpenID vs email is that there is certainty  
> that the user actually is the user. 
>   
I'm a little confused.  How is there certainty that "the user actually 
is the user"?  The viability of the identifier representing the same 
user is dependent on the OpenID provider not recycling identifiers. Or 
did you just mean that in email, authentication is not always required 
for someone to use an email identifier?

Note that the OpenID protocol does not prevent idp.spammers.com from 
allowing any identifier to be used and "authenticated" regardless of 
whether it's the same user or not.  It is incumbent on the relying 
parties to determine if they will allow identifiers authenticated by a 
particular idp.

Thanks,
George



More information about the specs mailing list