From paulej at packetizer.com  Tue Apr  1 19:30:33 2008
From: paulej at packetizer.com (Paul E. Jones)
Date: Tue, 1 Apr 2008 22:30:33 -0400
Subject: Using email address as OpenID identifier
Message-ID: <03d401c89469$86c56720$94503560$@com>

Folks,

 

I've seen discussion here and there on the use of the e-mail address as the
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable
by the average person, we cannot require the person to remember some very
complex identifier.  When I signed up for Yahoo's OpenID service, it
presented me with a hideously ugly URL that looked similar to a
base64-encoded string.  I could not begin to tell you what it was.
Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
ID is not one that the average user will remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly
serve as an alias.  Suppose, for example, that the DNS records at Yahoo
contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 "U" "OpenID2"
"^(.+)@(.*)$!https://me.yahoo.com/\1!i"

 

This would allow a Relaying Party to accept an e-mail address and perform a
simple transformation to get the "real" URL identifier.  Of course, this
does not mean that the existing URL or XRI identifiers are invalid, nor does
it mean that the "email address" has to be a real e-mail address.  But, this
form would certainly be far simpler for most people to deal use.

 

If something like this has been discussed and rejected, what was the reason?

 

Thanks,

Paul

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080401/cce01fc0/attachment.htm 

From brad at danga.com  Tue Apr  1 19:37:31 2008
From: brad at danga.com (Brad Fitzpatrick)
Date: Tue, 1 Apr 2008 19:37:31 -0700
Subject: Using email address as OpenID identifier
In-Reply-To: <03d401c89469$86c56720$94503560$@com>
References: <03d401c89469$86c56720$94503560$@com>
Message-ID: <1076e6c00804011937n6a2610b3h4dc64b1ae3a109c@mail.gmail.com>

This has been discussed to death and really should be a FAQ by now, but it's
not written up, so I'll add a few points:

-- we should discuss this as a generic email to URL mapping problem, and
ignore what is done with that URL then.  yes, it could be used as an OpenID

-- that said, with directed identity in OpenID 2.0, a user just needs to
type in "yahoo.com", or press the pretty yahoo button.  No typing.

-- For email-to-URL, NAPTR by itself is a non-starter.  Technically it may
be the correct way, but average people don't control their DNS.  Hell,
networksolutions doesn't even let you add SRV or TXT records.

-- A good solution to email-to-URL mapping will likely involve an
XRDS-Simple-style two-pronged discovery lookup path.  Whereas XRDS-Simple
says "try Accept header, then parse the <head> tag", a good email-to-URL
lookup "protocol" (best practice?) might be to try NAPTR first, then fall
back to this:

http://brad.livejournal.com/2357444.html

- Brad

2008/4/1 Paul E. Jones <paulej at packetizer.com>:

>  Folks,
>
>
>
> I've seen discussion here and there on the use of the e-mail address as
> the OpenID identifier.  Perhaps this one says it best:
>
> http://www.majordojo.com/2007/02/what-openid-needs.php
>
>
>
> I share many of same opinions.  If OpenID is going to be practically
> usable by the average person, we cannot require the person to remember some
> very complex identifier.  When I signed up for Yahoo's OpenID service, it
> presented me with a hideously ugly URL that looked similar to a
> base64-encoded string.  I could not begin to tell you what it was.
> Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
> ID is not one that the average user will remember or get right.
>
>
>
> While the e-mail address does not have to be the one's ID, it can
> certainly serve as an alias.  Suppose, for example, that the DNS records at
> Yahoo contained the following entry:
>
>
>
>   yahoo.com. IN NAPTR 100 10 "U" "OpenID2"
> "^(.+)@(.*)$!https://me.yahoo.com/\1!i"
>
>
>
> This would allow a Relaying Party to accept an e-mail address and perform
> a simple transformation to get the "real" URL identifier.  Of course, this
> does not mean that the existing URL or XRI identifiers are invalid, nor does
> it mean that the "email address" has to be a real e-mail address.  But, this
> form would certainly be far simpler for most people to deal use.
>
>
>
> If something like this has been discussed and rejected, what was the
> reason?
>
>
>
> Thanks,
>
> Paul
>
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080401/ad96be1b/attachment.htm 

From eran at hueniverse.com  Tue Apr  1 19:42:52 2008
From: eran at hueniverse.com (Eran Hammer-Lahav)
Date: Tue, 1 Apr 2008 22:42:52 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <03d401c89469$86c56720$94503560$@com>
References: <03d401c89469$86c56720$94503560$@com>
Message-ID: <1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>

The beauty of the current OpenID spec is that anyone can implement it and go live. However, with email identifiers you need email providers to support it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a feature, I am sure the others are likely to follow. Get 2 of these 4 and you've got something going. But the biggest issue is not picking a standard but finding a company willing to put something out there.

As for the technical solutions, there are many from DNS to XRDS to a simple template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not an OpenID issue, but a non-HTTP URI --> HTTP URI conversation. Basically if you had a generic way of moving from mailto:user at example.com to http://example.com/url/user (or any other URI with HTTP, the domain, and the user), any URI can be used for OpenID.

But at the end this is about someone of a major email provider saying they are interested and put out something people can use. After that I expect the snowball to roll. So, do you know anyone? :)

EHL

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf Of Paul E. Jones
Sent: Tuesday, April 01, 2008 10:31 PM
To: specs at openid.net
Subject: Using email address as OpenID identifier

Folks,

I've seen discussion here and there on the use of the e-mail address as the OpenID identifier.  Perhaps this one says it best:
http://www.majordojo.com/2007/02/what-openid-needs.php

I share many of same opinions.  If OpenID is going to be practically usable by the average person, we cannot require the person to remember some very complex identifier.  When I signed up for Yahoo's OpenID service, it presented me with a hideously ugly URL that looked similar to a base64-encoded string.  I could not begin to tell you what it was.  Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the ID is not one that the average user will remember or get right.

While the e-mail address does not have to be the one's ID, it can certainly serve as an alias.  Suppose, for example, that the DNS records at Yahoo contained the following entry:

  yahoo.com. IN NAPTR 100 10 "U" "OpenID2" "^(.+)@(.*)$!https://me.yahoo.com/\1!i"

This would allow a Relaying Party to accept an e-mail address and perform a simple transformation to get the "real" URL identifier.  Of course, this does not mean that the existing URL or XRI identifiers are invalid, nor does it mean that the "email address" has to be a real e-mail address.  But, this form would certainly be far simpler for most people to deal use.

If something like this has been discussed and rejected, what was the reason?

Thanks,
Paul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080401/0293a8d1/attachment-0001.htm 

From paulej at packetizer.com  Tue Apr  1 20:42:08 2008
From: paulej at packetizer.com (Paul E. Jones)
Date: Tue, 1 Apr 2008 23:42:08 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>
References: <03d401c89469$86c56720$94503560$@com>
	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>
Message-ID: <040c01c89473$8716fe00$9544fa00$@com>

Eran,

 

You're entirely correct that this is not an OpenID issue, per se.  In fact,
not a single word of text would need to be changed in the current v2 specs,
as far as I'm concerned.

 

But, I do think that it will take some of the core OpenID team members to
put a stake in the ground and say, "this is the convention that we'll
follow."  What needs to happen then is perhaps an extension written that
explains how to convert an email address to a URL.  Using NAPTR records
seems like the simplest way to do it to me, but I'm open to suggestions.

 

Perhaps it is important to say, though, that I do not think it requires the
e-mail providers to get on board with this (in my view) simpler notation.  I
could use an ID like paulej at myopenid.com and that should work, if
myopenid.com would publish the appropriate NAPTR record.  I could also
insert NAPTR records into the packetizer.com DNS server that would allow me
to use my email address, but point at my preferred OpenID provider.  In
short, just because the user at domain syntax is used does not mean that it
necessarily an e-mail address: it could be, but more importantly, it just
follows that familiar format documented in RFC 822.

 

Paul

 

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Eran Hammer-Lahav
Sent: Tuesday, April 01, 2008 10:43 PM
To: specs at openid.net
Subject: RE: Using email address as OpenID identifier

 

The beauty of the current OpenID spec is that anyone can implement it and go
live. However, with email identifiers you need email providers to support
it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a
feature, I am sure the others are likely to follow. Get 2 of these 4 and
you've got something going. But the biggest issue is not picking a standard
but finding a company willing to put something out there.

 

As for the technical solutions, there are many from DNS to XRDS to a simple
template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not
an OpenID issue, but a non-HTTP URI --> HTTP URI conversation. Basically if
you had a generic way of moving from mailto:user at example.com to
http://example.com/url/user (or any other URI with HTTP, the domain, and the
user), any URI can be used for OpenID.

 

But at the end this is about someone of a major email provider saying they
are interested and put out something people can use. After that I expect the
snowball to roll. So, do you know anyone? J

 

EHL

 

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Paul E. Jones
Sent: Tuesday, April 01, 2008 10:31 PM
To: specs at openid.net
Subject: Using email address as OpenID identifier

 

Folks,

 

I've seen discussion here and there on the use of the e-mail address as the
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable
by the average person, we cannot require the person to remember some very
complex identifier.  When I signed up for Yahoo's OpenID service, it
presented me with a hideously ugly URL that looked similar to a
base64-encoded string.  I could not begin to tell you what it was.
Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
ID is not one that the average user will remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly
serve as an alias.  Suppose, for example, that the DNS records at Yahoo
contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 "U" "OpenID2"
"^(.+)@(.*)$!https://me.yahoo.com/\1!i"

 

This would allow a Relaying Party to accept an e-mail address and perform a
simple transformation to get the "real" URL identifier.  Of course, this
does not mean that the existing URL or XRI identifiers are invalid, nor does
it mean that the "email address" has to be a real e-mail address.  But, this
form would certainly be far simpler for most people to deal use.

 

If something like this has been discussed and rejected, what was the reason?

 

Thanks,

Paul

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080401/92901ec2/attachment.htm 

From dick at sxip.com  Tue Apr  1 20:44:35 2008
From: dick at sxip.com (Dick Hardt)
Date: Tue, 1 Apr 2008 20:44:35 -0700
Subject: Using email address as OpenID identifier
In-Reply-To: <1076e6c00804011937n6a2610b3h4dc64b1ae3a109c@mail.gmail.com>
References: <03d401c89469$86c56720$94503560$@com>
	<1076e6c00804011937n6a2610b3h4dc64b1ae3a109c@mail.gmail.com>
Message-ID: <8A363AC7-1696-40C7-B60A-CAEFB0D2DA72@sxip.com>


On 1-Apr-08, at 7:37 PM, Brad Fitzpatrick wrote:
>
> -- that said, with directed identity in OpenID 2.0, a user just  
> needs to type in "yahoo.com", or press the pretty yahoo button.  No  
> typing.

I think this is why we don't need to use emails. People are very  
familiar with typing in a URL in the address bar. The experience of  
entering an URL and then being on that page is also really familiar.  
This is of course what happens when you type the OP into the OpenID  
prompt.

Sorry for not being the least bit supportive of the email as  
identifier idea -- there are just so many things that are bad about it  
and the good reason (an identifier they already know) is provided per  
above with the advantage of giving an expected experience.

I agree with Brad that we need to write a FAQ on this.

-- Dick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080401/c7503ba2/attachment.htm 

From eran at hueniverse.com  Tue Apr  1 21:17:24 2008
From: eran at hueniverse.com (Eran Hammer-Lahav)
Date: Wed, 2 Apr 2008 00:17:24 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <040c01c89473$8716fe00$9544fa00$@com>
References: <03d401c89469$86c56720$94503560$@com>
	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>
	<040c01c89473$8716fe00$9544fa00$@com>
Message-ID: <1CF0CFAED429364597531B94A3D5905C0FA1FC5BDA@manhattan.hueniverse.net>

Take a look at http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html - especially the list of other solutions proposed before me, as well as Brad's proposal.

The thing is, you need the @gmail, @hotmail, @msn, @yahoo, @aol to support this DNS, and they *are* the email providers.

EHL

From: Paul E. Jones [mailto:paulej at packetizer.com]
Sent: Tuesday, April 01, 2008 11:42 PM
To: Eran Hammer-Lahav; specs at openid.net
Subject: RE: Using email address as OpenID identifier

Eran,

You're entirely correct that this is not an OpenID issue, per se.  In fact, not a single word of text would need to be changed in the current v2 specs, as far as I'm concerned.

But, I do think that it will take some of the core OpenID team members to put a stake in the ground and say, "this is the convention that we'll follow."  What needs to happen then is perhaps an extension written that explains how to convert an email address to a URL.  Using NAPTR records seems like the simplest way to do it to me, but I'm open to suggestions.

Perhaps it is important to say, though, that I do not think it requires the e-mail providers to get on board with this (in my view) simpler notation.  I could use an ID like paulej at myopenid.com and that should work, if myopenid.com would publish the appropriate NAPTR record.  I could also insert NAPTR records into the packetizer.com DNS server that would allow me to use my email address, but point at my preferred OpenID provider.  In short, just because the user at domain syntax is used does not mean that it necessarily an e-mail address: it could be, but more importantly, it just follows that familiar format documented in RFC 822.

Paul

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf Of Eran Hammer-Lahav
Sent: Tuesday, April 01, 2008 10:43 PM
To: specs at openid.net
Subject: RE: Using email address as OpenID identifier

The beauty of the current OpenID spec is that anyone can implement it and go live. However, with email identifiers you need email providers to support it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a feature, I am sure the others are likely to follow. Get 2 of these 4 and you've got something going. But the biggest issue is not picking a standard but finding a company willing to put something out there.

As for the technical solutions, there are many from DNS to XRDS to a simple template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not an OpenID issue, but a non-HTTP URI --> HTTP URI conversation. Basically if you had a generic way of moving from mailto:user at example.com to http://example.com/url/user (or any other URI with HTTP, the domain, and the user), any URI can be used for OpenID.

But at the end this is about someone of a major email provider saying they are interested and put out something people can use. After that I expect the snowball to roll. So, do you know anyone? :)

EHL

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf Of Paul E. Jones
Sent: Tuesday, April 01, 2008 10:31 PM
To: specs at openid.net
Subject: Using email address as OpenID identifier

Folks,

I've seen discussion here and there on the use of the e-mail address as the OpenID identifier.  Perhaps this one says it best:
http://www.majordojo.com/2007/02/what-openid-needs.php

I share many of same opinions.  If OpenID is going to be practically usable by the average person, we cannot require the person to remember some very complex identifier.  When I signed up for Yahoo's OpenID service, it presented me with a hideously ugly URL that looked similar to a base64-encoded string.  I could not begin to tell you what it was.  Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the ID is not one that the average user will remember or get right.

While the e-mail address does not have to be the one's ID, it can certainly serve as an alias.  Suppose, for example, that the DNS records at Yahoo contained the following entry:

  yahoo.com. IN NAPTR 100 10 "U" "OpenID2" "^(.+)@(.*)$!https://me.yahoo.com/\1!i"

This would allow a Relaying Party to accept an e-mail address and perform a simple transformation to get the "real" URL identifier.  Of course, this does not mean that the existing URL or XRI identifiers are invalid, nor does it mean that the "email address" has to be a real e-mail address.  But, this form would certainly be far simpler for most people to deal use.

If something like this has been discussed and rejected, what was the reason?

Thanks,
Paul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080402/1afa04c6/attachment-0001.htm 

From james at jamesh.id.au  Tue Apr  1 21:30:09 2008
From: james at jamesh.id.au (James Henstridge)
Date: Wed, 2 Apr 2008 12:30:09 +0800
Subject: Using email address as OpenID identifier
In-Reply-To: <03d401c89469$86c56720$94503560$@com>
References: <03d401c89469$86c56720$94503560$@com>
Message-ID: <a7e835d40804012130g18bd7a63gc528b38f014f39f9@mail.gmail.com>

On 02/04/2008, Paul E. Jones <paulej at packetizer.com> wrote:
> Folks,
>
> I've seen discussion here and there on the use of the e-mail address as the
> OpenID identifier.  Perhaps this one says it best:
>
> http://www.majordojo.com/2007/02/what-openid-needs.php
>
> I share many of same opinions.  If OpenID is going to be practically usable
> by the average person, we cannot require the person to remember some very
> complex identifier.  When I signed up for Yahoo's OpenID service, it
> presented me with a hideously ugly URL that looked similar to a
> base64-encoded string.  I could not begin to tell you what it was.
> Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
> ID is not one that the average user will remember or get right.
>
> While the e-mail address does not have to be the one's ID, it can certainly
> serve as an alias.  Suppose, for example, that the DNS records at Yahoo
> contained the following entry:
>
>   yahoo.com. IN NAPTR 100 10 "U" "OpenID2"
> "^(.+)@(.*)$!https://me.yahoo.com/\1!i"
>
> This would allow a Relaying Party to accept an e-mail address and perform a
> simple transformation to get the "real" URL identifier.  Of course, this
> does not mean that the existing URL or XRI identifiers are invalid, nor does
> it mean that the "email address" has to be a real e-mail address.  But, this
> form would certainly be far simpler for most people to deal use.

If your aim is to let people use an email address as an identifier,
there are a few questions to answer:

1. when a user enters an email address into an RP, how is the claimed
ID derived from that input?

2. given such an input, how does the RP go about discovering the
OpenID endpoint URL and local ID for that identity?

With answers to these two questions, the remainder of the protocol
should function as is.

I'm guessing (correct me if I'm wrong) that you're suggesting that
this DNS lookup be done as part of (1).  This seems like it would
cause confusion if the user's ISP changed their DNS, since the user
would see their email address as being the real identifier: not the
URL that it maps to.

A solution that matches closer with what the user expects would be to
map "fred at example.com" to a claimed ID of "mailto:fred at example.com".

For (2), I'd suggest a solution that maps the email address to either
directly to an OpenID endpoint (using the claimed ID as local ID), or
to an XRDS file.  A DNS based solution seems fine here (either your
NAPTR idea, or TXT records as suggested in replies to your post).

James.

From paulej at packetizer.com  Tue Apr  1 21:52:34 2008
From: paulej at packetizer.com (Paul E. Jones)
Date: Wed, 2 Apr 2008 00:52:34 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <1076e6c00804011937n6a2610b3h4dc64b1ae3a109c@mail.gmail.com>
References: <03d401c89469$86c56720$94503560$@com>
	<1076e6c00804011937n6a2610b3h4dc64b1ae3a109c@mail.gmail.com>
Message-ID: <042601c8947d$5e23da90$1a6b8fb0$@com>

Brad,

 

Your point about DNS limitations is valid.  Then again, anybody who will be offering the open identity server is likely going to have control over their DNS.  Still, I?m not opposed to alternatives.

 

But, since you brought up the fact that one can enter yahoo.com and get redirected, I checked and, indeed, several OpenID sites already accept the e-mail ID as a form of identification?and I can get redirected to either Yahoo or MyOpenID.com.  So, do some of the libraries already check for e-mail address forms?  It seems that perhaps they do!

 

Paul

 

 

From: brad at fitzpat.com [mailto:brad at fitzpat.com] On Behalf Of Brad Fitzpatrick
Sent: Tuesday, April 01, 2008 10:38 PM
To: Paul E. Jones
Cc: specs at openid.net
Subject: Re: Using email address as OpenID identifier

 

This has been discussed to death and really should be a FAQ by now, but it's not written up, so I'll add a few points:

-- we should discuss this as a generic email to URL mapping problem, and ignore what is done with that URL then.  yes, it could be used as an OpenID

-- that said, with directed identity in OpenID 2.0, a user just needs to type in "yahoo.com", or press the pretty yahoo button.  No typing.

-- For email-to-URL, NAPTR by itself is a non-starter.  Technically it may be the correct way, but average people don't control their DNS.  Hell, networksolutions doesn't even let you add SRV or TXT records.

-- A good solution to email-to-URL mapping will likely involve an XRDS-Simple-style two-pronged discovery lookup path.  Whereas XRDS-Simple says "try Accept header, then parse the <head> tag", a good email-to-URL lookup "protocol" (best practice?) might be to try NAPTR first, then fall back to this:

http://brad.livejournal.com/2357444.html

- Brad

2008/4/1 Paul E. Jones <paulej at packetizer.com>:

Folks,

 

I've seen discussion here and there on the use of the e-mail address as the OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable by the average person, we cannot require the person to remember some very complex identifier.  When I signed up for Yahoo's OpenID service, it presented me with a hideously ugly URL that looked similar to a base64-encoded string.  I could not begin to tell you what it was.  Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the ID is not one that the average user will remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly serve as an alias.  Suppose, for example, that the DNS records at Yahoo contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 "U" "OpenID2" "^(.+)@(.*)$!https://me.yahoo.com/\1!i"

 

This would allow a Relaying Party to accept an e-mail address and perform a simple transformation to get the "real" URL identifier.  Of course, this does not mean that the existing URL or XRI identifiers are invalid, nor does it mean that the "email address" has to be a real e-mail address.  But, this form would certainly be far simpler for most people to deal use.

 

If something like this has been discussed and rejected, what was the reason?

 

Thanks,

Paul

 


_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080402/a702ac98/attachment.htm 

From paulej at packetizer.com  Tue Apr  1 22:02:15 2008
From: paulej at packetizer.com (Paul E. Jones)
Date: Wed, 2 Apr 2008 01:02:15 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <8A363AC7-1696-40C7-B60A-CAEFB0D2DA72@sxip.com>
References: <03d401c89469$86c56720$94503560$@com>
	<1076e6c00804011937n6a2610b3h4dc64b1ae3a109c@mail.gmail.com>
	<8A363AC7-1696-40C7-B60A-CAEFB0D2DA72@sxip.com>
Message-ID: <043401c8947e$b8575360$2905fa20$@com>

Dick,

 

On this point, I really have to disagree.  Even I rarely enter a URL into a
web browser. Why bother when I know the web browser will figure it out for
me.  I don't want to type http:// or https:// :-)

 

More importantly, you and I are different than the average users.  I've
watched people struggle with getting addresses properly entered.  I've
watched people put "www" in front of every name entered into a web browser,
even when the site might be something else.  I've watched users enter \\
rather than //.  I've even no slash at all.

 

So, what I think is important is that users have something simple and
consistent.  As I noted to my message to Brad just a moment ago, it appears
that some sites will accept the e-mail address form and then figure out
where to direct the user.   I was pleasantly surprised.

 

Given that at least some of the sites out there now do operate this way, I
suspect it might just be a matter of time before all of them do.  But, I
think it's important that the user experience is consistent, as you say.  If
email IDs are going to be supported by some, through ought to be supported
by all - even if they do nothing but figure out which OP to direct the
browser to.

 

Paul

 

From: Dick Hardt [mailto:dick at sxip.com] 
Sent: Tuesday, April 01, 2008 11:45 PM
To: Brad Fitzpatrick
Cc: Paul E. Jones; specs at openid.net
Subject: Re: Using email address as OpenID identifier

 

 

On 1-Apr-08, at 7:37 PM, Brad Fitzpatrick wrote:


-- that said, with directed identity in OpenID 2.0, a user just needs to
type in "yahoo.com", or press the pretty yahoo button.  No typing.

 

I think this is why we don't need to use emails. People are very familiar
with typing in a URL in the address bar. The experience of entering an URL
and then being on that page is also really familiar. This is of course what
happens when you type the OP into the OpenID prompt.

 

Sorry for not being the least bit supportive of the email as identifier idea
-- there are just so many things that are bad about it and the good reason
(an identifier they already know) is provided per above with the advantage
of giving an expected experience.

 

I agree with Brad that we need to write a FAQ on this.

 

-- Dick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080402/6e2fc28e/attachment-0001.htm 

From paulej at packetizer.com  Tue Apr  1 22:05:09 2008
From: paulej at packetizer.com (Paul E. Jones)
Date: Wed, 2 Apr 2008 01:05:09 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <1CF0CFAED429364597531B94A3D5905C0FA1FC5BDA@manhattan.hueniverse.net>
References: <03d401c89469$86c56720$94503560$@com>	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>	<040c01c89473$8716fe00$9544fa00$@com>
	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BDA@manhattan.hueniverse.net>
Message-ID: <045701c8947f$1fe3cf40$5fab6dc0$@com>

Eran,

 

I'm not suggesting that the address must be a real e-mail address.  I'm
suggesting that the ID has that form.  It's easier for users than entering
https://me.yahoo.com/userid.  If it happens to also be one's real e-mail
address, fine.  That would be a plus for me, but I don't see that as a
requirement.

 

Paul

 

 

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Eran Hammer-Lahav
Sent: Wednesday, April 02, 2008 12:17 AM
To: specs at openid.net
Subject: RE: Using email address as OpenID identifier

 

Take a look at
http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html -
especially the list of other solutions proposed before me, as well as Brad's
proposal.

 

The thing is, you need the @gmail, @hotmail, @msn, @yahoo, @aol to support
this DNS, and they *are* the email providers.

 

EHL

 

From: Paul E. Jones [mailto:paulej at packetizer.com] 
Sent: Tuesday, April 01, 2008 11:42 PM
To: Eran Hammer-Lahav; specs at openid.net
Subject: RE: Using email address as OpenID identifier

 

Eran,

 

You're entirely correct that this is not an OpenID issue, per se.  In fact,
not a single word of text would need to be changed in the current v2 specs,
as far as I'm concerned.

 

But, I do think that it will take some of the core OpenID team members to
put a stake in the ground and say, "this is the convention that we'll
follow."  What needs to happen then is perhaps an extension written that
explains how to convert an email address to a URL.  Using NAPTR records
seems like the simplest way to do it to me, but I'm open to suggestions.

 

Perhaps it is important to say, though, that I do not think it requires the
e-mail providers to get on board with this (in my view) simpler notation.  I
could use an ID like paulej at myopenid.com and that should work, if
myopenid.com would publish the appropriate NAPTR record.  I could also
insert NAPTR records into the packetizer.com DNS server that would allow me
to use my email address, but point at my preferred OpenID provider.  In
short, just because the user at domain syntax is used does not mean that it
necessarily an e-mail address: it could be, but more importantly, it just
follows that familiar format documented in RFC 822.

 

Paul

 

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Eran Hammer-Lahav
Sent: Tuesday, April 01, 2008 10:43 PM
To: specs at openid.net
Subject: RE: Using email address as OpenID identifier

 

The beauty of the current OpenID spec is that anyone can implement it and go
live. However, with email identifiers you need email providers to support
it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a
feature, I am sure the others are likely to follow. Get 2 of these 4 and
you've got something going. But the biggest issue is not picking a standard
but finding a company willing to put something out there.

 

As for the technical solutions, there are many from DNS to XRDS to a simple
template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not
an OpenID issue, but a non-HTTP URI --> HTTP URI conversation. Basically if
you had a generic way of moving from mailto:user at example.com to
http://example.com/url/user (or any other URI with HTTP, the domain, and the
user), any URI can be used for OpenID.

 

But at the end this is about someone of a major email provider saying they
are interested and put out something people can use. After that I expect the
snowball to roll. So, do you know anyone? J

 

EHL

 

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Paul E. Jones
Sent: Tuesday, April 01, 2008 10:31 PM
To: specs at openid.net
Subject: Using email address as OpenID identifier

 

Folks,

 

I've seen discussion here and there on the use of the e-mail address as the
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable
by the average person, we cannot require the person to remember some very
complex identifier.  When I signed up for Yahoo's OpenID service, it
presented me with a hideously ugly URL that looked similar to a
base64-encoded string.  I could not begin to tell you what it was.
Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
ID is not one that the average user will remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly
serve as an alias.  Suppose, for example, that the DNS records at Yahoo
contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 "U" "OpenID2"
"^(.+)@(.*)$!https://me.yahoo.com/\1!i"

 

This would allow a Relaying Party to accept an e-mail address and perform a
simple transformation to get the "real" URL identifier.  Of course, this
does not mean that the existing URL or XRI identifiers are invalid, nor does
it mean that the "email address" has to be a real e-mail address.  But, this
form would certainly be far simpler for most people to deal use.

 

If something like this has been discussed and rejected, what was the reason?

 

Thanks,

Paul

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080402/72ec2eb9/attachment.htm 

From dick at sxip.com  Tue Apr  1 22:09:21 2008
From: dick at sxip.com (Dick Hardt)
Date: Tue, 1 Apr 2008 22:09:21 -0700
Subject: Using email address as OpenID identifier
In-Reply-To: <045701c8947f$1fe3cf40$5fab6dc0$@com>
References: <03d401c89469$86c56720$94503560$@com>	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>	<040c01c89473$8716fe00$9544fa00$@com>
	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BDA@manhattan.hueniverse.net>
	<045701c8947f$1fe3cf40$5fab6dc0$@com>
Message-ID: <4DB698D1-C2C6-41AA-8F34-2C78523C4B3A@sxip.com>

Entering yahoo.com is even easier!

On 1-Apr-08, at 10:05 PM, Paul E. Jones wrote:

> Eran,
>
> I?m not suggesting that the address must be a real e-mail address.   
> I?m suggesting that the ID has that form.  It?s easier for users  
> than enteringhttps://me.yahoo.com/userid.  If it happens to also be  
> one?s real e-mail address, fine.  That would be a plus for me, but I  
> don?t see that as a requirement.
>
> Paul
>
>
> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On  
> Behalf Of Eran Hammer-Lahav
> Sent: Wednesday, April 02, 2008 12:17 AM
> To: specs at openid.net
> Subject: RE: Using email address as OpenID identifier
>
> Take a look at http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html 
>  - especially the list of other solutions proposed before me, as  
> well as Brad?s proposal.
>
> The thing is, you need the @gmail, @hotmail, @msn, @yahoo, @aol to  
> support this DNS, and they *are* the email providers.
>
> EHL
>
> From: Paul E. Jones [mailto:paulej at packetizer.com]
> Sent: Tuesday, April 01, 2008 11:42 PM
> To: Eran Hammer-Lahav; specs at openid.net
> Subject: RE: Using email address as OpenID identifier
>
> Eran,
>
> You?re entirely correct that this is not an OpenID issue, per se.   
> In fact, not a single word of text would need to be changed in the  
> current v2 specs, as far as I?m concerned.
>
> But, I do think that it will take some of the core OpenID team  
> members to put a stake in the ground and say, ?this is the  
> convention that we?ll follow.?  What needs to happen then is perhaps  
> an extension written that explains how to convert an email address  
> to a URL.  Using NAPTR records seems like the simplest way to do it  
> to me, but I?m open to suggestions.
>
> Perhaps it is important to say, though, that I do not think it  
> requires the e-mail providers to get on board with this (in my view)  
> simpler notation.  I could use an ID like paulej at myopenid.com and  
> that should work, if myopenid.com would publish the appropriate  
> NAPTR record.  I could also insert NAPTR records into the  
> packetizer.com DNS server that would allow me to use my email  
> address, but point at my preferred OpenID provider.  In short, just  
> because the user at domain syntax is used does not mean that it  
> necessarily an e-mail address: it could be, but more importantly, it  
> just follows that familiar format documented in RFC 822.
>
> Paul
>
> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On  
> Behalf Of Eran Hammer-Lahav
> Sent: Tuesday, April 01, 2008 10:43 PM
> To: specs at openid.net
> Subject: RE: Using email address as OpenID identifier
>
> The beauty of the current OpenID spec is that anyone can implement  
> it and go live. However, with email identifiers you need email  
> providers to support it. If Google, Yahoo, AOL, or Microsoft  
> announced they are adding such a feature, I am sure the others are  
> likely to follow. Get 2 of these 4 and you?ve got something going.  
> But the biggest issue is not picking a standard but finding a  
> company willing to put something out there.
>
> As for the technical solutions, there are many from DNS to XRDS to a  
> simple template agreed by all. Brad Fitzpatrick argued at FooCamp  
> that this is not an OpenID issue, but a non-HTTP URI --> HTTP URI  
> conversation. Basically if you had a generic way of moving  
> frommailto:user at example.com to http://example.com/url/user (or any  
> other URI with HTTP, the domain, and the user), any URI can be used  
> for OpenID.
>
> But at the end this is about someone of a major email provider  
> saying they are interested and put out something people can use.  
> After that I expect the snowball to roll. So, do you know anyone? J
>
> EHL
>
> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On  
> Behalf Of Paul E. Jones
> Sent: Tuesday, April 01, 2008 10:31 PM
> To: specs at openid.net
> Subject: Using email address as OpenID identifier
>
> Folks,
>
> I?ve seen discussion here and there on the use of the e-mail address  
> as the OpenID identifier.  Perhaps this one says it best:
> http://www.majordojo.com/2007/02/what-openid-needs.php
>
> I share many of same opinions.  If OpenID is going to be practically  
> usable by the average person, we cannot require the person to  
> remember some very complex identifier.  When I signed up for Yahoo?s  
> OpenID service, it presented me with a hideously ugly URL that  
> looked similar to a base64-encoded string.  I could not begin to  
> tell you what it was.  Fortunately, Yahoo allowed me to define my  
> own, friendlier name.  Still, the ID is not one that the average  
> user will remember or get right.
>
> While the e-mail address does not have to be the one?s ID, it can  
> certainly serve as an alias.  Suppose, for example, that the DNS  
> records at Yahoo contained the following entry:
>
>   yahoo.com. IN NAPTR 100 10 "U" "OpenID2" "^(.+)@(.*)$!https://me.yahoo.com/ 
> \1!i"
>
> This would allow a Relaying Party to accept an e-mail address and  
> perform a simple transformation to get the ?real? URL identifier.   
> Of course, this does not mean that the existing URL or XRI  
> identifiers are invalid, nor does it mean that the ?email address?  
> has to be a real e-mail address.  But, this form would certainly be  
> far simpler for most people to deal use.
>
> If something like this has been discussed and rejected, what was the  
> reason?
>
> Thanks,
> Paul
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080401/263af70d/attachment-0001.htm 

From paulej at packetizer.com  Tue Apr  1 22:16:41 2008
From: paulej at packetizer.com (Paul E. Jones)
Date: Wed, 2 Apr 2008 01:16:41 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <a7e835d40804012130g18bd7a63gc528b38f014f39f9@mail.gmail.com>
References: <03d401c89469$86c56720$94503560$@com>
	<a7e835d40804012130g18bd7a63gc528b38f014f39f9@mail.gmail.com>
Message-ID: <046e01c89480$bc19eec0$344dcc40$@com>

James,

>>yahoo.com. IN NAPTR 100 10 "U" "OpenID2"
"^(.+)@(.*)$!https://me.yahoo.com/\1!i" .
>
>
> 1. when a user enters an email address into an RP, how is the claimed
> ID derived from that input?

Using the NAPTR record as shown above, if I user paulej at yahoo.com, the RP
could perform a translation to https://me.yahoo.com/paulej
 
> 2. given such an input, how does the RP go about discovering the
> OpenID endpoint URL and local ID for that identity?
> 
> With answers to these two questions, the remainder of the protocol
> should function as is.

At this point, the RP would have the "real" OpenID ID for the user.
Everything else would proceed as normal.
 
> I'm guessing (correct me if I'm wrong) that you're suggesting that
> this DNS lookup be done as part of (1).  This seems like it would
> cause confusion if the user's ISP changed their DNS, since the user
> would see their email address as being the real identifier: not the
> URL that it maps to.

Yes, that could be an issue.  However, I would expect users would use an
identifier from a OP that *looks like* an e-mail address.  They would not
necessarily use their real address.  For example, I don't use Yahoo mail,
but I would enter paulej at yahoo.com as my OpenID ID.

> A solution that matches closer with what the user expects would be to
> map "fred at example.com" to a claimed ID of "mailto:fred at example.com".

The average user is not going to know what "mailto:" is.
 
> For (2), I'd suggest a solution that maps the email address to either
> directly to an OpenID endpoint (using the claimed ID as local ID), or
> to an XRDS file.  A DNS based solution seems fine here (either your
> NAPTR idea, or TXT records as suggested in replies to your post).

NAPTR queries and transformations are straight-forward.  It's just a regular
expression transformation from something that looks like an e-mail address
to the real OpenID ID.

But, again, I don't really care how it works. But, for the benefit of those
who are not so technically capable, I believe it's got to be super, super
trivial.  NAPTR would work extremely well, I think, and would be fast.  Any
OpenID OP could provide an e-mail style identifier and it would certainly be
a motivator for anybody providing e-mail service to also OpenID enable their
subscriber's e-mail addresses.

Paul



From dick at sxip.com  Tue Apr  1 22:27:32 2008
From: dick at sxip.com (Dick Hardt)
Date: Tue, 1 Apr 2008 22:27:32 -0700
Subject: Using email address as OpenID identifier
In-Reply-To: <043401c8947e$b8575360$2905fa20$@com>
References: <03d401c89469$86c56720$94503560$@com>
	<1076e6c00804011937n6a2610b3h4dc64b1ae3a109c@mail.gmail.com>
	<8A363AC7-1696-40C7-B60A-CAEFB0D2DA72@sxip.com>
	<043401c8947e$b8575360$2905fa20$@com>
Message-ID: <392B14ED-F0D8-4705-8BFD-21471F8801E0@sxip.com>


On 1-Apr-08, at 10:02 PM, Paul E. Jones wrote:

> Dick,
>
> On this point, I really have to disagree.  Even I rarely enter a URL  
> into a web browser. Why bother when I know the web browser will  
> figure it out for me.  I don?t want to type http:// or https:// :-)

I don't want to type the protocol either. I should have been more  
clear, the user types yahoo.com or aol.com into the prompt. Since this  
is NOT the identifier (which is a useful aspect of this method) -- the  
risks of NOT using https are much lower.

-- Dick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080401/76317219/attachment.htm 

From james at jamesh.id.au  Tue Apr  1 22:27:54 2008
From: james at jamesh.id.au (James Henstridge)
Date: Wed, 2 Apr 2008 13:27:54 +0800
Subject: Using email address as OpenID identifier
In-Reply-To: <042601c8947d$5e23da90$1a6b8fb0$@com>
References: <03d401c89469$86c56720$94503560$@com>
	<1076e6c00804011937n6a2610b3h4dc64b1ae3a109c@mail.gmail.com>
	<042601c8947d$5e23da90$1a6b8fb0$@com>
Message-ID: <a7e835d40804012227x7cc02568k78112390b986b5f5@mail.gmail.com>

On 02/04/2008, Paul E. Jones <paulej at packetizer.com> wrote:
> Brad,
>
> Your point about DNS limitations is valid.  Then again, anybody who will be
> offering the open identity server is likely going to have control over their
> DNS.  Still, I'm not opposed to alternatives.
>
> But, since you brought up the fact that one can enter yahoo.com and get
> redirected, I checked and, indeed, several OpenID sites already accept the
> e-mail ID as a form of identification?and I can get redirected to either
> Yahoo or MyOpenID.com.  So, do some of the libraries already check for
> e-mail address forms?  It seems that perhaps they do!

What you are seeing is probably not what you expect:

>>> from openid.consumer.discover import discover
>>> claimed_id, services = discover('anything at yahoo.com')
>>> for service in services:
...     print 'Local ID:', service.getLocalID()
...     print 'Server URL:', service.server_url
...
Local ID: None
Server URL: https://open.login.yahooapis.com/openid/op/auth
>>> claimed_id
'http://www.yahoo.com/'

What is happening is that "anything at yahoo.com" is being treated as
"http://anything at yahoo.com/".  As "http://yahoo.com" results in an
identifier select endpoint that will work for any Yahoo user.

Note that the HTTP username isn't being used for anything here, and
you'll get the same result by just entering "yahoo.com".  I wonder if
the Yahoo guys had considered this, or if it is just a happy accident?

James.

From paulej at packetizer.com  Tue Apr  1 23:15:04 2008
From: paulej at packetizer.com (Paul E. Jones)
Date: Wed, 2 Apr 2008 02:15:04 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <4DB698D1-C2C6-41AA-8F34-2C78523C4B3A@sxip.com>
References: <03d401c89469$86c56720$94503560$@com>	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>	<040c01c89473$8716fe00$9544fa00$@com>
	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BDA@manhattan.hueniverse.net>
	<045701c8947f$1fe3cf40$5fab6dc0$@com>
	<4DB698D1-C2C6-41AA-8F34-2C78523C4B3A@sxip.com>
Message-ID: <048401c89488$e44465d0$accd3170$@com>

Dick,

 

I'll give you that one: that's certainly easier.  But, does not cause some
confusion?  After all, one's identity is not yahoo.com, but that is the
identity provider.  Perhaps the prompts around the Internet ought to Say
"OpenID Provider:" instead? :-)

 

Presently, this variant works form some providers, but not most.  I assume
it's due to the fact they're not fully compliant with the spec yet? Or, is
there some confusion as to how this ought to work?

 

Paul

 

From: Dick Hardt [mailto:dick at sxip.com] 
Sent: Wednesday, April 02, 2008 1:09 AM
To: Paul E. Jones
Cc: 'Eran Hammer-Lahav'; specs at openid.net
Subject: Re: Using email address as OpenID identifier

 

Entering yahoo.com is even easier!

 

On 1-Apr-08, at 10:05 PM, Paul E. Jones wrote:





Eran,

 

I'm not suggesting that the address must be a real e-mail address.  I'm
suggesting that the ID has that form.  It's easier for users than
enteringhttps://me.yahoo.com/userid.  If it happens to also be one's real
e-mail address, fine.  That would be a plus for me, but I don't see that as
a requirement.

 

Paul

 

 

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Eran Hammer-Lahav
Sent: Wednesday, April 02, 2008 12:17 AM
To: specs at openid.net
Subject: RE: Using email address as OpenID identifier

 

Take a look at
http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html -
especially the list of other solutions proposed before me, as well as Brad's
proposal.

 

The thing is, you need the @gmail, @hotmail, @msn, @yahoo, @aol to support
this DNS, and they *are* the email providers.

 

EHL

 

From: Paul E. Jones [mailto:paulej at packetizer.com] 
Sent: Tuesday, April 01, 2008 11:42 PM
To: Eran Hammer-Lahav; specs at openid.net
Subject: RE: Using email address as OpenID identifier

 

Eran,

 

You're entirely correct that this is not an OpenID issue, per se.  In fact,
not a single word of text would need to be changed in the current v2 specs,
as far as I'm concerned.

 

But, I do think that it will take some of the core OpenID team members to
put a stake in the ground and say, "this is the convention that we'll
follow."  What needs to happen then is perhaps an extension written that
explains how to convert an email address to a URL.  Using NAPTR records
seems like the simplest way to do it to me, but I'm open to suggestions.

 

Perhaps it is important to say, though, that I do not think it requires the
e-mail providers to get on board with this (in my view) simpler notation.  I
could use an ID like paulej at myopenid.com and that should work, if
myopenid.com would publish the appropriate NAPTR record.  I could also
insert NAPTR records into the packetizer.com DNS server that would allow me
to use my email address, but point at my preferred OpenID provider.  In
short, just because the user at domain syntax is used does not mean that it
necessarily an e-mail address: it could be, but more importantly, it just
follows that familiar format documented in RFC 822.

 

Paul

 

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Eran Hammer-Lahav
Sent: Tuesday, April 01, 2008 10:43 PM
To: specs at openid.net
Subject: RE: Using email address as OpenID identifier

 

The beauty of the current OpenID spec is that anyone can implement it and go
live. However, with email identifiers you need email providers to support
it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a
feature, I am sure the others are likely to follow. Get 2 of these 4 and
you've got something going. But the biggest issue is not picking a standard
but finding a company willing to put something out there.

 

As for the technical solutions, there are many from DNS to XRDS to a simple
template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not
an OpenID issue, but a non-HTTP URI --> HTTP URI conversation. Basically if
you had a generic way of moving frommailto:user at example.com to
http://example.com/url/user (or any other URI with HTTP, the domain, and the
user), any URI can be used for OpenID.

 

But at the end this is about someone of a major email provider saying they
are interested and put out something people can use. After that I expect the
snowball to roll. So, do you know anyone? J

 

EHL

 

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Paul E. Jones
Sent: Tuesday, April 01, 2008 10:31 PM
To: specs at openid.net
Subject: Using email address as OpenID identifier

 

Folks,

 

I've seen discussion here and there on the use of the e-mail address as the
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable
by the average person, we cannot require the person to remember some very
complex identifier.  When I signed up for Yahoo's OpenID service, it
presented me with a hideously ugly URL that looked similar to a
base64-encoded string.  I could not begin to tell you what it was.
Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
ID is not one that the average user will remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly
serve as an alias.  Suppose, for example, that the DNS records at Yahoo
contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 "U" "OpenID2"
"^(.+)@(.*)$!https://me.yahoo.com/\1!i"

 

This would allow a Relaying Party to accept an e-mail address and perform a
simple transformation to get the "real" URL identifier.  Of course, this
does not mean that the existing URL or XRI identifiers are invalid, nor does
it mean that the "email address" has to be a real e-mail address.  But, this
form would certainly be far simpler for most people to deal use.

 

If something like this has been discussed and rejected, what was the reason?

 

Thanks,

Paul

 

_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080402/aa6f5ec2/attachment-0001.htm 

From james at jamesh.id.au  Tue Apr  1 23:33:53 2008
From: james at jamesh.id.au (James Henstridge)
Date: Wed, 2 Apr 2008 14:33:53 +0800
Subject: Using email address as OpenID identifier
In-Reply-To: <046e01c89480$bc19eec0$344dcc40$@com>
References: <03d401c89469$86c56720$94503560$@com>
	<a7e835d40804012130g18bd7a63gc528b38f014f39f9@mail.gmail.com>
	<046e01c89480$bc19eec0$344dcc40$@com>
Message-ID: <a7e835d40804012333t8dd3c24sbd31c43883da64ec@mail.gmail.com>

On 02/04/2008, Paul E. Jones <paulej at packetizer.com> wrote:
>  > A solution that matches closer with what the user expects would be to
>  > map "fred at example.com" to a claimed ID of "mailto:fred at example.com".
>
> The average user is not going to know what "mailto:" is.

The mailto: transition would be something done internally by the RP.
The RP could (and probably should) display email addresses without the
"mailto:" prefix to the user.

This is similar to the way RPs store persistent XRIs as the user's
claimed ID but are encouraged to display the reassignable XRI.


>  > For (2), I'd suggest a solution that maps the email address to either
>  > directly to an OpenID endpoint (using the claimed ID as local ID), or
>  > to an XRDS file.  A DNS based solution seems fine here (either your
>  > NAPTR idea, or TXT records as suggested in replies to your post).
>
>
> NAPTR queries and transformations are straight-forward.  It's just a regular
>  expression transformation from something that looks like an e-mail address
>  to the real OpenID ID.
>
>  But, again, I don't really care how it works. But, for the benefit of those
>  who are not so technically capable, I believe it's got to be super, super
>  trivial.  NAPTR would work extremely well, I think, and would be fast.  Any
>  OpenID OP could provide an e-mail style identifier and it would certainly be
>  a motivator for anybody providing e-mail service to also OpenID enable their
>  subscriber's e-mail addresses.

I don't think there is a need to introduce an HTTP identity URL here.
If you're going to use an email address as an identity, then use an
email address as an identity.

James.

From dick at sxip.com  Tue Apr  1 23:36:43 2008
From: dick at sxip.com (Dick Hardt)
Date: Tue, 1 Apr 2008 23:36:43 -0700
Subject: Using email address as OpenID identifier
In-Reply-To: <048401c89488$e44465d0$accd3170$@com>
References: <03d401c89469$86c56720$94503560$@com>	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>	<040c01c89473$8716fe00$9544fa00$@com>
	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BDA@manhattan.hueniverse.net>
	<045701c8947f$1fe3cf40$5fab6dc0$@com>
	<4DB698D1-C2C6-41AA-8F34-2C78523C4B3A@sxip.com>
	<048401c89488$e44465d0$accd3170$@com>
Message-ID: <5FBF6E50-E1E4-4994-A50A-7B0340E59529@sxip.com>


On 1-Apr-08, at 11:15 PM, Paul E. Jones wrote:

> Dick,
>
> I?ll give you that one: that?s certainly easier.  But, does not  
> cause some confusion?  After all, one?s identity is not yahoo.com,  
> but that is the identity provider.  Perhaps the prompts around the  
> Internet ought to Say ?OpenID Provider:? instead? :-)

:-) ... that label would be more accurate. There is lots of work to be  
done to make OpenID simpler for users. I think that what will be easy  
for users is something provided by the browser that lets the user  
click to initiate a login or registration. No typing is better then  
any typing! Back when we started working on the protocols we could not  
expect this kind of functionality to be in the browsers. Now that  
awareness is higher, having it built into the browser is feasible. I  
of course am biased given the work we have done with Sxipper http://sxipper.com 
  :)

>
> Presently, this variant works form some providers, but not most.  I  
> assume it?s due to the fact they?re not fully compliant with the  
> spec yet? Or, is there some confusion as to how this ought to work?

I don't think an OP is not OpenID 2.0 compliant if it does not take  
the OP as an identifier -- but I would have to reread to the spec to  
make sure.

-- Dick



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080401/9d049fe7/attachment.htm 

From joseph at josephholsten.com  Wed Apr  2 01:52:10 2008
From: joseph at josephholsten.com (Joseph Anthony Pasquale Holsten)
Date: Wed, 2 Apr 2008 03:52:10 -0500
Subject: Using email address as OpenID identifier
In-Reply-To: <03d401c89469$86c56720$94503560$@com>
References: <03d401c89469$86c56720$94503560$@com>
Message-ID: <6E514F46-6262-43B3-987C-3CD5640D7DBB@josephholsten.com>

Does anyone have the time to write an email -> xrds discovery spec so  
we can formally ignore it? And so people can argue with their dns  
providers instead of on list?

http:// Joseph Holsten .com


On 02008:04:01, at 9:30CDT, Paul E. Jones wrote:

> Folks,
>
>
>
> I?ve seen discussion here and there on the use of the e-mail  
> address as the OpenID identifier.  Perhaps this one says it best:
>
> http://www.majordojo.com/2007/02/what-openid-needs.php
>
>
>
> I share many of same opinions.  If OpenID is going to be  
> practically usable by the average person, we cannot require the  
> person to remember some very complex identifier.  When I signed up  
> for Yahoo?s OpenID service, it presented me with a hideously ugly  
> URL that looked similar to a base64-encoded string.  I could not  
> begin to tell you what it was.  Fortunately, Yahoo allowed me to  
> define my own, friendlier name.  Still, the ID is not one that the  
> average user will remember or get right.
>
>
>
> While the e-mail address does not have to be the one?s ID, it can  
> certainly serve as an alias.  Suppose, for example, that the DNS  
> records at Yahoo contained the following entry:
>
>
>
>   yahoo.com. IN NAPTR 100 10 "U" "OpenID2" "^(.+)@(.*)$!https:// 
> me.yahoo.com/\1!i"
>
>
>
> This would allow a Relaying Party to accept an e-mail address and  
> perform a simple transformation to get the ?real? URL identifier.   
> Of course, this does not mean that the existing URL or XRI  
> identifiers are invalid, nor does it mean that the ?email address?  
> has to be a real e-mail address.  But, this form would certainly be  
> far simpler for most people to deal use.
>
>
>
> If something like this has been discussed and rejected, what was  
> the reason?
>
>
>
> Thanks,
>
> Paul
>
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080402/43e50052/attachment.htm 

From gffletch at aol.com  Wed Apr  2 05:41:30 2008
From: gffletch at aol.com (George Fletcher)
Date: Wed, 02 Apr 2008 08:41:30 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <5FBF6E50-E1E4-4994-A50A-7B0340E59529@sxip.com>
References: <03d401c89469$86c56720$94503560$@com>	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>	<040c01c89473$8716fe00$9544fa00$@com>	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BDA@manhattan.hueniverse.net>	<045701c8947f$1fe3cf40$5fab6dc0$@com>	<4DB698D1-C2C6-41AA-8F34-2C78523C4B3A@sxip.com>	<048401c89488$e44465d0$accd3170$@com>
	<5FBF6E50-E1E4-4994-A50A-7B0340E59529@sxip.com>
Message-ID: <47F37EFA.7090001@aol.com>



Dick Hardt wrote:
>
> On 1-Apr-08, at 11:15 PM, Paul E. Jones wrote:
>> Dick,
>>  
>> I?ll give you that one: that?s certainly easier.  But, does not cause 
>> some confusion?  After all, one?s identity is not yahoo.com, but that 
>> is the identity provider.  Perhaps the prompts around the Internet 
>> ought to Say ?OpenID Provider:? instead? :-)
>
> :-) ... that label would be more accurate. There is lots of work to be 
> done to make OpenID simpler for users. I think that what will be easy 
> for users is something provided by the browser that lets the user 
> click to initiate a login or registration. No typing is better then 
> any typing! Back when we started working on the protocols we could not 
> expect this kind of functionality to be in the browsers. Now that 
> awareness is higher, having it built into the browser is feasible. I 
> of course am biased given the work we have done with Sxipper 
> http://sxipper.com :)
For the majority of users, this is probably the most likely path of 
introduction to OpenID. Note that it's not just about allowing the user 
to do something with one click, but also about being proactive and 
informing the user that they can login to a site with an identity they 
already have. This can be as simple as telling the browser "identity 
agent" (e.g. sxipper) which email addresses the user has and letting the 
identity agent figure out which OpenID's the user has that they don't 
even know about.

I think relying party sites that support OpenID could do more to make it 
clear on their home pages that they support OpenID (as often it's hidden 
behind another click). This could be as simple as some <link> tags that 
advertise support for OpenID. Maybe a <link> to the XRDS doc describing 
the services of the site. Then the identity agent can discover the 
relying party OpenID return_to endpoint and log the user in directly. 
Can be used to solve a phishing problem and makes the experience easy 
for the user.

Some related thoughts ....
   http://practicalid.blogspot.com/2007/06/clients-to-rescue.html
   
http://practicalid.blogspot.com/2007/06/passive-identity-meta-system-markup.html

Thanks,
George


From James.McGovern at thehartford.com  Wed Apr  2 06:28:59 2008
From: James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))
Date: Wed, 2 Apr 2008 09:28:59 -0400
Subject: OpenID and Yahoo
In-Reply-To: <mailman.16715.1207116949.15408.specs@openid.net>
References: <mailman.16715.1207116949.15408.specs@openid.net>
Message-ID: <9C557D8C6864CA438EF362318A3DF6D5649169@AD1HFDEXC306.ad1.prod>

 Does anyone have a perspective on Yahoo and AOL and their weak support
for OpenID? It is good that they are a provider, but shouldn't they
really also allow access based on an OpenID issued by signon.com,
myvidoop.com and others...


*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************


From dick at sxip.com  Wed Apr  2 08:43:09 2008
From: dick at sxip.com (Dick Hardt)
Date: Wed, 2 Apr 2008 08:43:09 -0700
Subject: OpenID and Yahoo
In-Reply-To: <9C557D8C6864CA438EF362318A3DF6D5649169@AD1HFDEXC306.ad1.prod>
References: <mailman.16715.1207116949.15408.specs@openid.net>
	<9C557D8C6864CA438EF362318A3DF6D5649169@AD1HFDEXC306.ad1.prod>
Message-ID: <82E585A8-5FD9-414E-AAAD-312C451131A2@sxip.com>


On 2-Apr-08, at 6:28 AM, McGovern, James F (HTSC, IT) wrote:
> Does anyone have a perspective on Yahoo and AOL and their weak support
> for OpenID? It is good that they are a provider, but shouldn't they
> really also allow access based on an OpenID issued by signon.com,
> myvidoop.com and others...

I would be much more interested in them supporting Attribute Exchange  
so that their users data could easily be consumed by other sites.

This topic was recently covered by TechCrunch[1] and I responded [2]

-- Dick

[1] http://www.techcrunch.com/2008/03/24/is-openid-being-exploited-by-the-big-internet-companies/

[2] http://identity20.com/?p=147




From paulej at packetizer.com  Wed Apr  2 09:14:07 2008
From: paulej at packetizer.com (Paul E. Jones)
Date: Wed, 2 Apr 2008 12:14:07 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <6E514F46-6262-43B3-987C-3CD5640D7DBB@josephholsten.com>
References: <03d401c89469$86c56720$94503560$@com>
	<6E514F46-6262-43B3-987C-3CD5640D7DBB@josephholsten.com>
Message-ID: <050601c894dc$942fdda0$bc8f98e0$@com>

Joseph,

 

That argument was given to me yesterday, but I don't think you really need
to worry with your DNS provider unless you're also trying to operate your
own OP.

 

Suppose, for example, you have an ID assigned by myopenid.com.  I don't know
what URI format they'll use, but let's say it is
https://myopenid.com/joseph.  Or, perhaps it's https://joseph.myopenid.com.
Whatever the format, there is always a user component to it.  So, it would
be quite simply to take the user component and put it into an e-mail ID
style like joseph at myopenid.com.  This does not necessarily mean you have an
e-mail address, but it could be an e-mail address.

 

The conversion from that form to a URI form is easily achieved via NAPTR
records similar to the one I show below.  So, before any XRDS query is
performed, the RP would see if the ID provided is an e-mail-style ID.  If
so, query for the NAPTR record and then perform the conversion from the
e-mail-style to a URL.  From there, it all works the same.  It's just a
"make it simple" enhancement that requires no changes to the core Open ID
specs.

 

Paul

 

From: Joseph Holsten [mailto:josephholsten at gmail.com] On Behalf Of Joseph
Anthony Pasquale Holsten
Sent: Wednesday, April 02, 2008 4:52 AM
To: Paul E. Jones
Cc: specs at openid.net
Subject: Re: Using email address as OpenID identifier

 

Does anyone have the time to write an email -> xrds discovery spec so we can
formally ignore it? And so people can argue with their dns providers instead
of on list?

 

http:// Joseph Holsten .com

 

 

On 02008:04:01, at 9:30CDT, Paul E. Jones wrote:





Folks,

 

I've seen discussion here and there on the use of the e-mail address as the
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable
by the average person, we cannot require the person to remember some very
complex identifier.  When I signed up for Yahoo's OpenID service, it
presented me with a hideously ugly URL that looked similar to a
base64-encoded string.  I could not begin to tell you what it was.
Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
ID is not one that the average user will remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly
serve as an alias.  Suppose, for example, that the DNS records at Yahoo
contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 "U" "OpenID2"
"^(.+)@(.*)$!https://me.yahoo.com/\1!i <https://me.yahoo.com/1!i> "

 

This would allow a Relaying Party to accept an e-mail address and perform a
simple transformation to get the "real" URL identifier.  Of course, this
does not mean that the existing URL or XRI identifiers are invalid, nor does
it mean that the "email address" has to be a real e-mail address.  But, this
form would certainly be far simpler for most people to deal use.

 

If something like this has been discussed and rejected, what was the reason?

 

Thanks,

Paul

 

_______________________________________________

specs mailing list

specs at openid.net

http://openid.net/mailman/listinfo/specs

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080402/bcb9ea81/attachment.htm 

From drummond.reed at cordance.net  Wed Apr  2 11:38:13 2008
From: drummond.reed at cordance.net (Drummond Reed)
Date: Wed, 2 Apr 2008 11:38:13 -0700
Subject: IDMML (was RE: Using email address as OpenID identifier)
In-Reply-To: <47F37EFA.7090001@aol.com>
Message-ID: <024501c894f0$b65a6b20$6d01a8c0@ELROND>

> > Dick Hardt wrote:
> >
> > :-) ... that label would be more accurate. There is lots of work to be
> > done to make OpenID simpler for users. I think that what will be easy
> > for users is something provided by the browser that lets the user
> > click to initiate a login or registration. No typing is better then
> > any typing! Back when we started working on the protocols we could not
> > expect this kind of functionality to be in the browsers. Now that
> > awareness is higher, having it built into the browser is feasible. I
> > of course am biased given the work we have done with Sxipper
> > http://sxipper.com :)
> For the majority of users, this is probably the most likely path of
> introduction to OpenID. Note that it's not just about allowing the user
> to do something with one click, but also about being proactive and
> informing the user that they can login to a site with an identity they
> already have. This can be as simple as telling the browser "identity
> agent" (e.g. sxipper) which email addresses the user has and letting the
> identity agent figure out which OpenID's the user has that they don't
> even know about.
> 
> George Fletcher wrote:
>
> I think relying party sites that support OpenID could do more to make it
> clear on their home pages that they support OpenID (as often it's hidden
> behind another click). This could be as simple as some <link> tags that
> advertise support for OpenID. Maybe a <link> to the XRDS doc describing
> the services of the site. Then the identity agent can discover the
> relying party OpenID return_to endpoint and log the user in directly.
> Can be used to solve a phishing problem and makes the experience easy
> for the user.
> 
> Some related thoughts ....
>    http://practicalid.blogspot.com/2007/06/clients-to-rescue.html
> 
> http://practicalid.blogspot.com/2007/06/passive-identity-meta-system-
> markup.html

George, I read your two posts with great interest...and then noticed that
they were last summer!

You are a man ahead of your time.

Where has discussion of your "IDMML" gone since your posts?

=Drummond 


From gffletch at aol.com  Wed Apr  2 11:50:26 2008
From: gffletch at aol.com (George Fletcher)
Date: Wed, 02 Apr 2008 14:50:26 -0400
Subject: IDMML (was RE: Using email address as OpenID identifier)
In-Reply-To: <024501c894f0$b65a6b20$6d01a8c0@ELROND>
References: <024501c894f0$b65a6b20$6d01a8c0@ELROND>
Message-ID: <47F3D572.6010705@aol.com>



Drummond Reed wrote:
>>> Dick Hardt wrote:
>>>
>>> :-) ... that label would be more accurate. There is lots of work to be
>>> done to make OpenID simpler for users. I think that what will be easy
>>> for users is something provided by the browser that lets the user
>>> click to initiate a login or registration. No typing is better then
>>> any typing! Back when we started working on the protocols we could not
>>> expect this kind of functionality to be in the browsers. Now that
>>> awareness is higher, having it built into the browser is feasible. I
>>> of course am biased given the work we have done with Sxipper
>>> http://sxipper.com :)
>>>       
>> For the majority of users, this is probably the most likely path of
>> introduction to OpenID. Note that it's not just about allowing the user
>> to do something with one click, but also about being proactive and
>> informing the user that they can login to a site with an identity they
>> already have. This can be as simple as telling the browser "identity
>> agent" (e.g. sxipper) which email addresses the user has and letting the
>> identity agent figure out which OpenID's the user has that they don't
>> even know about.
>>
>> George Fletcher wrote:
>>
>> I think relying party sites that support OpenID could do more to make it
>> clear on their home pages that they support OpenID (as often it's hidden
>> behind another click). This could be as simple as some <link> tags that
>> advertise support for OpenID. Maybe a <link> to the XRDS doc describing
>> the services of the site. Then the identity agent can discover the
>> relying party OpenID return_to endpoint and log the user in directly.
>> Can be used to solve a phishing problem and makes the experience easy
>> for the user.
>>
>> Some related thoughts ....
>>    http://practicalid.blogspot.com/2007/06/clients-to-rescue.html
>>
>> http://practicalid.blogspot.com/2007/06/passive-identity-meta-system-
>> markup.html
>>     
>
> George, I read your two posts with great interest...and then noticed that
> they were last summer!
>
> You are a man ahead of your time.
>
> Where has discussion of your "IDMML" gone since your posts?
>
> =Drummond
Unfortunately, not as far as I'd like :(  I've not been able to get back 
to the ideas and take them farther. With the other things that have 
happened in the last 6 months there are needed revisions. Maybe this 
could be a discussion at IIW (if there is enough interest)?

At the time there was less consensus around XRDS as a service 
"description/meta-data" markup. With that changing, the time is better 
to move this forward. I suspect there are significant synergies with 
what Peter hinted at in the work with XRDS, IDP Discovery, and SAML. It 
would be great if identity agents could be the glue that binds the 
different identity systems together for the user (until we on the 
technology side get closer to real convergence:).

Thanks,
George

From christopher at pobox.com  Wed Apr  2 13:29:48 2008
From: christopher at pobox.com (Chris Drake)
Date: Thu, 3 Apr 2008 06:29:48 +1000
Subject: IDMML (was RE: Using email address as OpenID identifier)
In-Reply-To: <024501c894f0$b65a6b20$6d01a8c0@ELROND>
References: <47F37EFA.7090001@aol.com> <024501c894f0$b65a6b20$6d01a8c0@ELROND>
Message-ID: <996955838.20080403062948@pobox.com>

Hi Drummond,

I pushed hard for RP identification for 2 or 3 months back around
October 2006.  If anyone wants to go back through the archives,
there's a pile of other important reasons to have some way that an IdP
and/or browser agent can identify an OpenID-enabled site.  The antique
thread below lists a few.  My proposal too was a <link> tag.

Kind Regards,
Chris Drake


Tuesday, November 7, 2006, 12:51:15 I, you wrote:

CD> Hi Johannes,

CD> I proposed a solution to the "single sign out" problem a month or two
CD> ago.

CD> In fact - a whole range of solutions have been proposed, and relative
CD> merits of all discussed already - does anyone have the free time to go
CD> back over the postings, extract all the knowledge & contributions, and
CD> document them all?

CD> To summarize my proposal - I was seeking a standardized OpenID RP
CD> endpoint interface into which I (as an IdP) or a software agent (eg: a
CD> browser plugin) could "post" user information - be this a login
CD> request, email change request, log-out request, account signup,
CD> account cancelation, or whatever.  My preferred implementation was a
CD> <LINK> tag placed on (and thus identifying) a login page, and within
CD> the link tag, the endpoint of the RP for accepting IdP(OP/agent)
CD> input.

CD> Kind Regards,
CD> Chris Drake


CD> Tuesday, November 7, 2006, 1:04:44 PM, you wrote:

JE>> I continue to believe that we need single-sign-out
JE>> functionality, in particular once OpenID moves up the stack for
JE>> higher-value transactions.


JE>> Some people have made the case that that is undesirable
JE>> and/or impossible; I beg to differ.


JE>> Having automatic authentication against the IdP is quite
JE>> similar to not having a password on the identity at all, in that
JE>> it reduces the confidence that we know the real-world identity of
JE>> the entity/user at the other end. In my view, there's nothing
JE>> wrong with that, but we do need to be able to convey that to
JE>> relying parties in a way that cannot be easily attacked.





JE>> On Nov 6, 2006, at 16:41, Joshua Viney wrote:

JE>> One question re: User Experience and single-sign-on comes to mind:


JE>> How do we treat users who are accessing their IdP and
JE>> Relying Parties via public computers?


JE>> Use Case:
JE>> Good User at public library wants to leave a comment on Blog X
JE>> Blog X requires the person to authenticate via OpenID
JE>> Good User enters their OpenID and successfully authenticates
JE>> via email and password (or whatever) (and authorizes the RP
JE>> ('realm' in 2.0) if necessary) at their IdP
JE>> Good User is redirected to Blog X signed in
JE>> Good User leaves comment
JE>> Good User signs out of Blog X (if sign out is even an option)
JE>> Good User then leaves the public library and goes shopping
JE>> Evil User jumps on computer and proceeds to leave comments at
JE>> any number of OpenID enabled blogs using Good User's OpenID (he
JE>> saw it while looking over Good User's shoulder, or he checks any
JE>> sites that Good User did NOT sign out of that might display his
JE>> OpenID)
JE>> Evil User, uses Good User's signed in IdP session to sign into any number of sites, etc


JE>> Outcome: Good User's reputation is ruined and his/her OpenID
JE>> is banned from a whole list of Relying Parties. Good User then
JE>> blames their IdP, the Relying Parties and OpenID as a technology
JE>> and tells everyone he/she knows not to use it blogs about it and
JE>> initiates a press release.


JE>> It may be easy to pass this off as an implementation specific
JE>> issue or as "user error", but this use case is somewhat likely for
JE>> 2 reasons:


JE>> 1. A user's OpenID URI is not necessarily a private thing
JE>> (obscurity is not security anyway)
JE>> 2. Users will be at least 1 site removed from their IdP while
JE>> accessing a Relying Party, and no one is use to signing out twice
JE>> 3. It is very very likely that IdP's will use some type of "remember me" functionality


JE>> One solution to consider would be a global sign-out feature
JE>> on relying party sites that signs users out of their IdP as well.
JE>> Another solution would be to make very specific recommendations
JE>> about messaging users who may be using public computers.






JE>> Josh Viney
JE>> http://www.eastmedia.com?--?EastMedia
JE>> http://identity.eastmedia.com?--?OpenID, Identity 2.0








JE>> _______________________________________________
JE>> user-experience mailing list
JE>> user-experience at openid.net
JE>> http://openid.net/mailman/listinfo/user-experience










Kind Regards,
Chris Drake,
=1id.com


Thursday, April 3, 2008, 4:38:13 AM, you wrote:

>> > Dick Hardt wrote:
>> >
>> > :-) ... that label would be more accurate. There is lots of work to be
>> > done to make OpenID simpler for users. I think that what will be easy
>> > for users is something provided by the browser that lets the user
>> > click to initiate a login or registration. No typing is better then
>> > any typing! Back when we started working on the protocols we could not
>> > expect this kind of functionality to be in the browsers. Now that
>> > awareness is higher, having it built into the browser is feasible. I
>> > of course am biased given the work we have done with Sxipper
>> > http://sxipper.com :)
>> For the majority of users, this is probably the most likely path of
>> introduction to OpenID. Note that it's not just about allowing the user
>> to do something with one click, but also about being proactive and
>> informing the user that they can login to a site with an identity they
>> already have. This can be as simple as telling the browser "identity
>> agent" (e.g. sxipper) which email addresses the user has and letting the
>> identity agent figure out which OpenID's the user has that they don't
>> even know about.
>> 
>> George Fletcher wrote:
>>
>> I think relying party sites that support OpenID could do more to make it
>> clear on their home pages that they support OpenID (as often it's hidden
>> behind another click). This could be as simple as some <link> tags that
>> advertise support for OpenID. Maybe a <link> to the XRDS doc describing
>> the services of the site. Then the identity agent can discover the
>> relying party OpenID return_to endpoint and log the user in directly.
>> Can be used to solve a phishing problem and makes the experience easy
>> for the user.
>> 
>> Some related thoughts ....
>>    http://practicalid.blogspot.com/2007/06/clients-to-rescue.html
>> 
>> http://practicalid.blogspot.com/2007/06/passive-identity-meta-system-
>> markup.html

DR> George, I read your two posts with great interest...and then noticed that
DR> they were last summer!

DR> You are a man ahead of your time.

DR> Where has discussion of your "IDMML" gone since your posts?

DR> =Drummond 

DR> _______________________________________________
DR> specs mailing list
DR> specs at openid.net
DR> http://openid.net/mailman/listinfo/specs




From drummond.reed at cordance.net  Wed Apr  2 15:40:37 2008
From: drummond.reed at cordance.net (Drummond Reed)
Date: Wed, 2 Apr 2008 15:40:37 -0700
Subject: IDMML (was RE: Using email address as OpenID identifier)
In-Reply-To: <996955838.20080403062948@pobox.com>
Message-ID: <02fb01c89512$93881c60$6d01a8c0@ELROND>

Chris, I remember that well, and I agree that it makes a lot of sense. I
think when this is combined with George's concept of the other ways in which
a local identity agent can assist the use, then IDMML really starts to gain
some legs.

See also my reply to George.

=Drummond 

> -----Original Message-----
> From: Chris Drake [mailto:christopher at pobox.com]
> Sent: Wednesday, April 02, 2008 1:30 PM
> To: Drummond Reed
> Cc: 'George Fletcher'; 'Dick Hardt'; specs at openid.net
> Subject: Re: IDMML (was RE: Using email address as OpenID identifier)
> 
> Hi Drummond,
> 
> I pushed hard for RP identification for 2 or 3 months back around
> October 2006.  If anyone wants to go back through the archives,
> there's a pile of other important reasons to have some way that an IdP
> and/or browser agent can identify an OpenID-enabled site.  The antique
> thread below lists a few.  My proposal too was a <link> tag.
> 
> Kind Regards,
> Chris Drake
> 
> 
> Tuesday, November 7, 2006, 12:51:15 I, you wrote:
> 
> CD> Hi Johannes,
> 
> CD> I proposed a solution to the "single sign out" problem a month or two
> CD> ago.
> 
> CD> In fact - a whole range of solutions have been proposed, and relative
> CD> merits of all discussed already - does anyone have the free time to go
> CD> back over the postings, extract all the knowledge & contributions, and
> CD> document them all?
> 
> CD> To summarize my proposal - I was seeking a standardized OpenID RP
> CD> endpoint interface into which I (as an IdP) or a software agent (eg: a
> CD> browser plugin) could "post" user information - be this a login
> CD> request, email change request, log-out request, account signup,
> CD> account cancelation, or whatever.  My preferred implementation was a
> CD> <LINK> tag placed on (and thus identifying) a login page, and within
> CD> the link tag, the endpoint of the RP for accepting IdP(OP/agent)
> CD> input.
> 
> CD> Kind Regards,
> CD> Chris Drake
> 
> 
> CD> Tuesday, November 7, 2006, 1:04:44 PM, you wrote:
> 
> JE>> I continue to believe that we need single-sign-out
> JE>> functionality, in particular once OpenID moves up the stack for
> JE>> higher-value transactions.
> 
> 
> JE>> Some people have made the case that that is undesirable
> JE>> and/or impossible; I beg to differ.
> 
> 
> JE>> Having automatic authentication against the IdP is quite
> JE>> similar to not having a password on the identity at all, in that
> JE>> it reduces the confidence that we know the real-world identity of
> JE>> the entity/user at the other end. In my view, there's nothing
> JE>> wrong with that, but we do need to be able to convey that to
> JE>> relying parties in a way that cannot be easily attacked.
> 
> 
> 
> 
> 
> JE>> On Nov 6, 2006, at 16:41, Joshua Viney wrote:
> 
> JE>> One question re: User Experience and single-sign-on comes to mind:
> 
> 
> JE>> How do we treat users who are accessing their IdP and
> JE>> Relying Parties via public computers?
> 
> 
> JE>> Use Case:
> JE>> Good User at public library wants to leave a comment on Blog X
> JE>> Blog X requires the person to authenticate via OpenID
> JE>> Good User enters their OpenID and successfully authenticates
> JE>> via email and password (or whatever) (and authorizes the RP
> JE>> ('realm' in 2.0) if necessary) at their IdP
> JE>> Good User is redirected to Blog X signed in
> JE>> Good User leaves comment
> JE>> Good User signs out of Blog X (if sign out is even an option)
> JE>> Good User then leaves the public library and goes shopping
> JE>> Evil User jumps on computer and proceeds to leave comments at
> JE>> any number of OpenID enabled blogs using Good User's OpenID (he
> JE>> saw it while looking over Good User's shoulder, or he checks any
> JE>> sites that Good User did NOT sign out of that might display his
> JE>> OpenID)
> JE>> Evil User, uses Good User's signed in IdP session to sign into any
> number of sites, etc
> 
> 
> JE>> Outcome: Good User's reputation is ruined and his/her OpenID
> JE>> is banned from a whole list of Relying Parties. Good User then
> JE>> blames their IdP, the Relying Parties and OpenID as a technology
> JE>> and tells everyone he/she knows not to use it blogs about it and
> JE>> initiates a press release.
> 
> 
> JE>> It may be easy to pass this off as an implementation specific
> JE>> issue or as "user error", but this use case is somewhat likely for
> JE>> 2 reasons:
> 
> 
> JE>> 1. A user's OpenID URI is not necessarily a private thing
> JE>> (obscurity is not security anyway)
> JE>> 2. Users will be at least 1 site removed from their IdP while
> JE>> accessing a Relying Party, and no one is use to signing out twice
> JE>> 3. It is very very likely that IdP's will use some type of "remember
> me" functionality
> 
> 
> JE>> One solution to consider would be a global sign-out feature
> JE>> on relying party sites that signs users out of their IdP as well.
> JE>> Another solution would be to make very specific recommendations
> JE>> about messaging users who may be using public computers.
> 
> 
> 
> 
> 
> 
> JE>> Josh Viney
> JE>> http://www.eastmedia.com?--?EastMedia
> JE>> http://identity.eastmedia.com?--?OpenID, Identity 2.0
> 
> 
> 
> 
> 
> 
> 
> 
> JE>> _______________________________________________
> JE>> user-experience mailing list
> JE>> user-experience at openid.net
> JE>> http://openid.net/mailman/listinfo/user-experience
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Kind Regards,
> Chris Drake,
> =1id.com
> 
> 
> Thursday, April 3, 2008, 4:38:13 AM, you wrote:
> 
> >> > Dick Hardt wrote:
> >> >
> >> > :-) ... that label would be more accurate. There is lots of work to
> be
> >> > done to make OpenID simpler for users. I think that what will be easy
> >> > for users is something provided by the browser that lets the user
> >> > click to initiate a login or registration. No typing is better then
> >> > any typing! Back when we started working on the protocols we could
> not
> >> > expect this kind of functionality to be in the browsers. Now that
> >> > awareness is higher, having it built into the browser is feasible. I
> >> > of course am biased given the work we have done with Sxipper
> >> > http://sxipper.com :)
> >> For the majority of users, this is probably the most likely path of
> >> introduction to OpenID. Note that it's not just about allowing the user
> >> to do something with one click, but also about being proactive and
> >> informing the user that they can login to a site with an identity they
> >> already have. This can be as simple as telling the browser "identity
> >> agent" (e.g. sxipper) which email addresses the user has and letting
> the
> >> identity agent figure out which OpenID's the user has that they don't
> >> even know about.
> >>
> >> George Fletcher wrote:
> >>
> >> I think relying party sites that support OpenID could do more to make
> it
> >> clear on their home pages that they support OpenID (as often it's
> hidden
> >> behind another click). This could be as simple as some <link> tags that
> >> advertise support for OpenID. Maybe a <link> to the XRDS doc describing
> >> the services of the site. Then the identity agent can discover the
> >> relying party OpenID return_to endpoint and log the user in directly.
> >> Can be used to solve a phishing problem and makes the experience easy
> >> for the user.
> >>
> >> Some related thoughts ....
> >>    http://practicalid.blogspot.com/2007/06/clients-to-rescue.html
> >>
> >> http://practicalid.blogspot.com/2007/06/passive-identity-meta-system-
> >> markup.html
> 
> DR> George, I read your two posts with great interest...and then noticed
> that
> DR> they were last summer!
> 
> DR> You are a man ahead of your time.
> 
> DR> Where has discussion of your "IDMML" gone since your posts?
> 
> DR> =Drummond
> 
> DR> _______________________________________________
> DR> specs mailing list
> DR> specs at openid.net
> DR> http://openid.net/mailman/listinfo/specs
> 
> 



From drummond.reed at cordance.net  Wed Apr  2 15:54:46 2008
From: drummond.reed at cordance.net (Drummond Reed)
Date: Wed, 2 Apr 2008 15:54:46 -0700
Subject: IDMML (was RE: Using email address as OpenID identifier)
In-Reply-To: <47F3D572.6010705@aol.com>
Message-ID: <030201c89514$8d33dcd0$6d01a8c0@ELROND>

> >> George Fletcher wrote:
> >>
> >> I think relying party sites that support OpenID could do more to make
> it
> >> clear on their home pages that they support OpenID (as often it's
> hidden
> >> behind another click). This could be as simple as some <link> tags that
> >> advertise support for OpenID. Maybe a <link> to the XRDS doc describing
> >> the services of the site. Then the identity agent can discover the
> >> relying party OpenID return_to endpoint and log the user in directly.
> >> Can be used to solve a phishing problem and makes the experience easy
> >> for the user.
> >>
> >> Some related thoughts ....
> >>    http://practicalid.blogspot.com/2007/06/clients-to-rescue.html
> >>
> >> http://practicalid.blogspot.com/2007/06/passive-identity-meta-system-
> >> markup.html
> >>
> > Drummond wrote:
> > George, I read your two posts with great interest...and then noticed
> that
> > they were last summer!
> >
> > You are a man ahead of your time.
> >
> > Where has discussion of your "IDMML" gone since your posts?
> >
> George wrote:
> Unfortunately, not as far as I'd like :(  I've not been able to get back
> to the ideas and take them farther. With the other things that have
> happened in the last 6 months there are needed revisions. Maybe this
> could be a discussion at IIW (if there is enough interest)?
> 
> At the time there was less consensus around XRDS as a service
> "description/meta-data" markup. With that changing, the time is better
> to move this forward. I suspect there are significant synergies with
> what Peter hinted at in the work with XRDS, IDP Discovery, and SAML. It
> would be great if identity agents could be the glue that binds the
> different identity systems together for the user (until we on the
> technology side get closer to real convergence:).

George, I agree that several things have evolved which could make an IDMML
practical now. Seems like a very good topic for IIW. I just put it on the
list of proposed sessions:

	http://iiw.idcommons.net/index.php/Proposed_Topics_2008a 

=Drummond 


From mart at degeneration.co.uk  Mon Apr  7 10:56:57 2008
From: mart at degeneration.co.uk (Martin Atkins)
Date: Mon, 07 Apr 2008 18:56:57 +0100
Subject: Using email address as OpenID identifier
In-Reply-To: <040c01c89473$8716fe00$9544fa00$@com>
References: <03d401c89469$86c56720$94503560$@com>	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>
	<040c01c89473$8716fe00$9544fa00$@com>
Message-ID: <47FA6069.1040800@degeneration.co.uk>

Paul E. Jones wrote:
> 
> Perhaps it is important to say, though, that I do not think it requires 
> the e-mail providers to get on board with this (in my view) simpler 
> notation.  I could use an ID like paulej at myopenid.com and that should 
> work, if myopenid.com would publish the appropriate NAPTR record.  I 
> could also insert NAPTR records into the packetizer.com DNS server that 
> would allow me to use my email address, but point at my preferred OpenID 
> provider.  In short, just because the user at domain syntax is used does 
> not mean that it necessarily an e-mail address: it could be, but more 
> importantly, it just follows that familiar format documented in RFC 822.
> 

Funnily enough, I've always percieved the fact that syntactically-valid 
but non-existant email addresses are being used as identifiers as a 
problem rather than a benefit:

  * It creates confusion for users when something looks like an email 
address but it doesn't behave as one. I've seen this sort of confusion 
with Jabber servers, where users get confused that their Jabber ID and 
email address are not the same, especially when Jabber clients say "For 
example, user at example.com" under the Jabber ID field.

  * If not all email-shaped OpenID identifiers are actually working 
mailboxes, it's likely to lead to a distressing user experience where 
the user is first asked to enter their OpenID identifier -- that is, 
their email address -- and then they're asked to enter and verify their 
email address. At this point, I expect users to at best say "Stupid 
computer! Remember what I've told you!" and at worst get confused and 
think that the OpenID identifier they entered was not correct.

  * As has often been raised in both the OpenID-with-email and in the 
Jabber circles, many people are reluctant to give up their email 
addresses to the public eye for fear of spam. Note that Yahoo.com will, 
by default, use a big opaque string as an identifier rather than the 
user's Yahoo! account name for this very reason.


From mart at degeneration.co.uk  Mon Apr  7 10:58:31 2008
From: mart at degeneration.co.uk (Martin Atkins)
Date: Mon, 07 Apr 2008 18:58:31 +0100
Subject: Using email address as OpenID identifier
In-Reply-To: <048401c89488$e44465d0$accd3170$@com>
References: <03d401c89469$86c56720$94503560$@com>	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>	<040c01c89473$8716fe00$9544fa00$@com>	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BDA@manhattan.hueniverse.net>	<045701c8947f$1fe3cf40$5fab6dc0$@com>	<4DB698D1-C2C6-41AA-8F34-2C78523C4B3A@sxip.com>
	<048401c89488$e44465d0$accd3170$@com>
Message-ID: <47FA60C7.5070203@degeneration.co.uk>

Paul E. Jones wrote:
>  
> 
> I?ll give you that one: that?s certainly easier.  But, does not cause 
> some confusion?  After all, one?s identity is not yahoo.com, but that is 
> the identity provider.  Perhaps the prompts around the Internet ought to 
> Say ?OpenID Provider:? instead? :-)
> 

I propose that the caption be "Whatever your OpenID provider told you to 
enter: ".

(I joke, of course. Mostly.)


From James.McGovern at thehartford.com  Mon Apr  7 12:21:07 2008
From: James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))
Date: Mon, 7 Apr 2008 15:21:07 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <mailman.1.1207594802.11479.specs@openid.net>
References: <mailman.1.1207594802.11479.specs@openid.net>
Message-ID: <9C557D8C6864CA438EF362318A3DF6D56491D4@AD1HFDEXC306.ad1.prod>

This would require defining an OpenID SRV record in DNS. Would make
sense for someone to get this formally defined as part of IETF. Could
kinda be done in the same way that Boeing is moving forward definition
of XRI in LDAP.. 

-----Original Message-----

Message: 1
Date: Mon, 07 Apr 2008 18:56:57 +0100
From: Martin Atkins <mart at degeneration.co.uk>
Subject: Re: Using email address as OpenID identifier
To: specs at openid.net
Message-ID: <47FA6069.1040800 at degeneration.co.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Paul E. Jones wrote:
> 
> Perhaps it is important to say, though, that I do not think it 
> requires the e-mail providers to get on board with this (in my view) 
> simpler notation.  I could use an ID like paulej at myopenid.com and that

> should work, if myopenid.com would publish the appropriate NAPTR 
> record.  I could also insert NAPTR records into the packetizer.com DNS

> server that would allow me to use my email address, but point at my 
> preferred OpenID provider.  In short, just because the user at domain 
> syntax is used does not mean that it necessarily an e-mail address: it

> could be, but more importantly, it just follows that familiar format
documented in RFC 822.
> 

Funnily enough, I've always percieved the fact that syntactically-valid
but non-existant email addresses are being used as identifiers as a
problem rather than a benefit:

  * It creates confusion for users when something looks like an email
address but it doesn't behave as one. I've seen this sort of confusion
with Jabber servers, where users get confused that their Jabber ID and
email address are not the same, especially when Jabber clients say "For
example, user at example.com" under the Jabber ID field.

  * If not all email-shaped OpenID identifiers are actually working
mailboxes, it's likely to lead to a distressing user experience where
the user is first asked to enter their OpenID identifier -- that is,
their email address -- and then they're asked to enter and verify their
email address. At this point, I expect users to at best say "Stupid
computer! Remember what I've told you!" and at worst get confused and
think that the OpenID identifier they entered was not correct.

  * As has often been raised in both the OpenID-with-email and in the
Jabber circles, many people are reluctant to give up their email
addresses to the public eye for fear of spam. Note that Yahoo.com will,
by default, use a big opaque string as an identifier rather than the
user's Yahoo! account name for this very reason.




*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************


From holger at baxmann.com  Mon Apr  7 14:55:27 2008
From: holger at baxmann.com (Holger Baxmann)
Date: Mon, 7 Apr 2008 23:55:27 +0200
Subject: Using email address as OpenID identifier
In-Reply-To: <9C557D8C6864CA438EF362318A3DF6D56491D4@AD1HFDEXC306.ad1.prod>
References: <mailman.1.1207594802.11479.specs@openid.net>
	<9C557D8C6864CA438EF362318A3DF6D56491D4@AD1HFDEXC306.ad1.prod>
Message-ID: <2F5F0642-B6E4-455A-831F-72AFAC3E5011@baxmann.com>

What about having an ENUM e164.org record holding not only the IP of  
an SIP-Broker, but the OpenID ID. Whatever format and syntax it might  
have.

The appropriate IETF RFC 2916  "E.164 number and DNS" could provide  
not only mangling with eMail addresses but also with telephone  
numbers: this will provide much more fun !

But seriously: mixing the POTS numbering system with the now good old  
internet identification could be a in place solution, IMHO.

2ct
.bax

Am 07.04.2008 um 21:21 schrieb McGovern, James F (HTSC, IT):
> This would require defining an OpenID SRV record in DNS. Would make
> sense for someone to get this formally defined as part of IETF. Could
> kinda be done in the same way that Boeing is moving forward definition
> of XRI in LDAP..
>
> -----Original Message-----
>
> Message: 1
> Date: Mon, 07 Apr 2008 18:56:57 +0100
> From: Martin Atkins <mart at degeneration.co.uk>
> Subject: Re: Using email address as OpenID identifier
> To: specs at openid.net
> Message-ID: <47FA6069.1040800 at degeneration.co.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Paul E. Jones wrote:
>>
>> Perhaps it is important to say, though, that I do not think it
>> requires the e-mail providers to get on board with this (in my view)
>> simpler notation.  I could use an ID like paulej at myopenid.com and  
>> that
>
>> should work, if myopenid.com would publish the appropriate NAPTR
>> record.  I could also insert NAPTR records into the packetizer.com  
>> DNS
>
>> server that would allow me to use my email address, but point at my
>> preferred OpenID provider.  In short, just because the user at domain
>> syntax is used does not mean that it necessarily an e-mail address:  
>> it
>
>> could be, but more importantly, it just follows that familiar format
> documented in RFC 822.
>>
>
> Funnily enough, I've always percieved the fact that syntactically- 
> valid
> but non-existant email addresses are being used as identifiers as a
> problem rather than a benefit:
>
>  * It creates confusion for users when something looks like an email
> address but it doesn't behave as one. I've seen this sort of confusion
> with Jabber servers, where users get confused that their Jabber ID and
> email address are not the same, especially when Jabber clients say  
> "For
> example, user at example.com" under the Jabber ID field.
>
>  * If not all email-shaped OpenID identifiers are actually working
> mailboxes, it's likely to lead to a distressing user experience where
> the user is first asked to enter their OpenID identifier -- that is,
> their email address -- and then they're asked to enter and verify  
> their
> email address. At this point, I expect users to at best say "Stupid
> computer! Remember what I've told you!" and at worst get confused and
> think that the OpenID identifier they entered was not correct.
>
>  * As has often been raised in both the OpenID-with-email and in the
> Jabber circles, many people are reluctant to give up their email
> addresses to the public eye for fear of spam. Note that Yahoo.com  
> will,
> by default, use a big opaque string as an identifier rather than the
> user's Yahoo! account name for this very reason.
>
>
>
>
> *************************************************************************
> This communication, including attachments, is
> for the exclusive use of addressee and may contain proprietary,
> confidential and/or privileged information.  If you are not the  
> intended
> recipient, any use, copying, disclosure, dissemination or  
> distribution is
> strictly prohibited.  If you are not the intended recipient, please  
> notify
> the sender immediately by return e-mail, delete this communication and
> destroy all copies.
> *************************************************************************
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs


From hexayurt at gmail.com  Wed Apr  9 02:52:53 2008
From: hexayurt at gmail.com (Vinay Gupta)
Date: Wed, 9 Apr 2008 11:52:53 +0200
Subject: Google OpenID is now live
Message-ID: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>

http://openid-provider.appspot.com/

Somebody used their app hosting service and implemented an OpenID  
provider.

That kind of changes things, doesn't it?

Vinay








-- 
Vinay Gupta - Designer, Hexayurt Project - an excellent public domain  
refugee shelter system
Gizmo Project VOIP: 775-743-1851 (usually  
works!)                       http://hexayurt.com/
Cell: Iceland (+354) 869-4605                                     
Skype/Gizmo/Gtalk: hexayurt
People with courage and character always seem sinister to the  
rest              Herman Hesse


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080409/0fc100f2/attachment.htm 

From paulmadsen at rogers.com  Wed Apr  9 04:49:51 2008
From: paulmadsen at rogers.com (Paul Madsen)
Date: Wed, 09 Apr 2008 07:49:51 -0400
Subject: Google OpenID is now live
In-Reply-To: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>
References: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>
Message-ID: <47FCAD5F.1020701@rogers.com>

I expect Google might have a (legal) opinion on characterizing this 
application as 'Google OpenID'

I think I'll wait for Google itself to enable my Gmail as an OpenID.

paul

Vinay Gupta wrote:
> http://openid-provider.appspot.com/
>
> Somebody used their app hosting service and implemented an OpenID 
> provider.
>
> That kind of changes things, doesn't it?
>
> Vinay
>
>
>
>
>
>
>
>
> -- 
> Vinay Gupta - Designer, Hexayurt Project - an excellent public domain 
> refugee shelter system
> Gizmo Project VOIP: 775-743-1851 (usually works!)                      
>  http://hexayurt.com/
> Cell: Iceland (+354) 869-4605                                   
>  Skype/Gizmo/Gtalk: hexayurt 
> People with courage and character always seem sinister to the rest    
>           Herman Hesse
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>   
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG. 
> Version: 7.5.519 / Virus Database: 269.22.9/1365 - Release Date: 4/8/2008 7:30 AM
>   

-- 
Paul Madsen            e:paulmadsen @ ntt-at.com
NTT                    p:613-482-0432
                       m:613-282-8647
                       aim:PaulMdsn5
                       web:connectid.blogspot.com 


From i.akhund at gmail.com  Wed Apr  9 06:09:00 2008
From: i.akhund at gmail.com (Immad Akhund)
Date: Wed, 9 Apr 2008 14:09:00 +0100
Subject: Google OpenID is now live
In-Reply-To: <47FCAD5F.1020701@rogers.com>
References: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>
	<47FCAD5F.1020701@rogers.com>
Message-ID: <1a338f430804090609m654a6ee3p525796f0771e6624@mail.gmail.com>

When Google eventually does make a proper OpenID provider all the OpenIDs
provided by openid-provider.appspot.com would not match.

Would get very confusing apart from advanced users that understand the
distinction.

Immad

On Wed, Apr 9, 2008 at 12:49 PM, Paul Madsen <paulmadsen at rogers.com> wrote:

> I expect Google might have a (legal) opinion on characterizing this
> application as 'Google OpenID'
>
> I think I'll wait for Google itself to enable my Gmail as an OpenID.
>
> paul
>
> Vinay Gupta wrote:
> > http://openid-provider.appspot.com/
> >
> > Somebody used their app hosting service and implemented an OpenID
> > provider.
> >
> > That kind of changes things, doesn't it?
> >
> > Vinay
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > Vinay Gupta - Designer, Hexayurt Project - an excellent public domain
> > refugee shelter system
> > Gizmo Project VOIP: 775-743-1851 (usually works!)
> >  http://hexayurt.com/
> > Cell: Iceland (+354) 869-4605
> >  Skype/Gizmo/Gtalk: hexayurt
> > People with courage and character always seem sinister to the rest
> >           Herman Hesse
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > specs mailing list
> > specs at openid.net
> > http://openid.net/mailman/listinfo/specs
> >
> > ------------------------------------------------------------------------
> >
> > No virus found in this incoming message.
> > Checked by AVG.
> > Version: 7.5.519 / Virus Database: 269.22.9/1365 - Release Date:
> 4/8/2008 7:30 AM
> >
>
> --
> Paul Madsen            e:paulmadsen @ ntt-at.com
> NTT                    p:613-482-0432
>                       m:613-282-8647
>                       aim:PaulMdsn5
>                       web:connectid.blogspot.com
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>



-- 
Cell: +1 617 460 7271
Skype: i.akhund
Blog: http://immadsnewworld.com

Clickpass, CTO
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080409/a5c7f18d/attachment.htm 

From john at extremeswank.com  Wed Apr  9 10:45:11 2008
From: john at extremeswank.com (John Ehn)
Date: Wed, 9 Apr 2008 13:45:11 -0400
Subject: Google OpenID is now live
In-Reply-To: <1a338f430804090609m654a6ee3p525796f0771e6624@mail.gmail.com>
References: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>
	<47FCAD5F.1020701@rogers.com>
	<1a338f430804090609m654a6ee3p525796f0771e6624@mail.gmail.com>
Message-ID: <ce0d6bdf0804091045l4c463875qf9717f27b8e861ea@mail.gmail.com>

I agree.  I think this is an excellent technology demonstration, but it is a
third-party, not Google, that is enabling the ID.

John

2008/4/9 Immad Akhund <i.akhund at gmail.com>:

> When Google eventually does make a proper OpenID provider all the OpenIDs
> provided by openid-provider.appspot.com would not match.
>
> Would get very confusing apart from advanced users that understand the
> distinction.
>
> Immad
>
>
> On Wed, Apr 9, 2008 at 12:49 PM, Paul Madsen <paulmadsen at rogers.com>
> wrote:
>
> > I expect Google might have a (legal) opinion on characterizing this
> > application as 'Google OpenID'
> >
> > I think I'll wait for Google itself to enable my Gmail as an OpenID.
> >
> > paul
> >
> > Vinay Gupta wrote:
> > > http://openid-provider.appspot.com/
> > >
> > > Somebody used their app hosting service and implemented an OpenID
> > > provider.
> > >
> > > That kind of changes things, doesn't it?
> > >
> > > Vinay
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > Vinay Gupta - Designer, Hexayurt Project - an excellent public domain
> > > refugee shelter system
> > > Gizmo Project VOIP: 775-743-1851 (usually works!)
> > >  http://hexayurt.com/
> > > Cell: Iceland (+354) 869-4605
> > >  Skype/Gizmo/Gtalk: hexayurt
> > > People with courage and character always seem sinister to the rest
> > >           Herman Hesse
> > >
> > >
> > >
> > ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > specs mailing list
> > > specs at openid.net
> > > http://openid.net/mailman/listinfo/specs
> > >
> > >
> > ------------------------------------------------------------------------
> > >
> > > No virus found in this incoming message.
> > > Checked by AVG.
> > > Version: 7.5.519 / Virus Database: 269.22.9/1365 - Release Date:
> > 4/8/2008 7:30 AM
> > >
> >
> > --
> > Paul Madsen            e:paulmadsen @ ntt-at.com
> > NTT                    p:613-482-0432
> >                       m:613-282-8647
> >                       aim:PaulMdsn5
> >                       web:connectid.blogspot.com
> >
> > _______________________________________________
> > specs mailing list
> > specs at openid.net
> > http://openid.net/mailman/listinfo/specs
> >
>
>
>
> --
> Cell: +1 617 460 7271
> Skype: i.akhund
> Blog: http://immadsnewworld.com
>
> Clickpass, CTO
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080409/6752e34b/attachment.htm 

From paulej at packetizer.com  Wed Apr  9 11:14:01 2008
From: paulej at packetizer.com (Paul E. Jones)
Date: Wed, 9 Apr 2008 14:14:01 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <9C557D8C6864CA438EF362318A3DF6D56491D4@AD1HFDEXC306.ad1.prod>
References: <mailman.1.1207594802.11479.specs@openid.net>
	<9C557D8C6864CA438EF362318A3DF6D56491D4@AD1HFDEXC306.ad1.prod>
Message-ID: <03c001c89a6d$7d1f86b0$775e9410$@com>

James,

I don't think we need SRV records to do this.  NAPTR would suffice, as that
would allow one to transform one string into another.

But, it seems that there is an overwhelming preference for using some kind
of string of undetermined structure to identify a user which is not of an
e-mail format.  (I know there is an intent to use a URI, but most users have
no idea what a URI is and few really type them properly.)

So, while I still think the form user at provider is better for the user
world-wide community, I understand the counter-arguments.  And, perhaps I'll
be proven wrong-- which is OK.

Paul

> -----Original Message-----
> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
> Behalf Of McGovern, James F (HTSC, IT)
> Sent: Monday, April 07, 2008 3:21 PM
> To: specs at openid.net
> Subject: Using email address as OpenID identifier
> 
> This would require defining an OpenID SRV record in DNS. Would make
> sense for someone to get this formally defined as part of IETF. Could
> kinda be done in the same way that Boeing is moving forward definition
> of XRI in LDAP..
> 
> -----Original Message-----
> 
> Message: 1
> Date: Mon, 07 Apr 2008 18:56:57 +0100
> From: Martin Atkins <mart at degeneration.co.uk>
> Subject: Re: Using email address as OpenID identifier
> To: specs at openid.net
> Message-ID: <47FA6069.1040800 at degeneration.co.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> Paul E. Jones wrote:
> >
> > Perhaps it is important to say, though, that I do not think it
> > requires the e-mail providers to get on board with this (in my view)
> > simpler notation.  I could use an ID like paulej at myopenid.com and
> that
> 
> > should work, if myopenid.com would publish the appropriate NAPTR
> > record.  I could also insert NAPTR records into the packetizer.com
> DNS
> 
> > server that would allow me to use my email address, but point at my
> > preferred OpenID provider.  In short, just because the user at domain
> > syntax is used does not mean that it necessarily an e-mail address:
> it
> 
> > could be, but more importantly, it just follows that familiar format
> documented in RFC 822.
> >
> 
> Funnily enough, I've always percieved the fact that syntactically-valid
> but non-existant email addresses are being used as identifiers as a
> problem rather than a benefit:
> 
>   * It creates confusion for users when something looks like an email
> address but it doesn't behave as one. I've seen this sort of confusion
> with Jabber servers, where users get confused that their Jabber ID and
> email address are not the same, especially when Jabber clients say "For
> example, user at example.com" under the Jabber ID field.
> 
>   * If not all email-shaped OpenID identifiers are actually working
> mailboxes, it's likely to lead to a distressing user experience where
> the user is first asked to enter their OpenID identifier -- that is,
> their email address -- and then they're asked to enter and verify their
> email address. At this point, I expect users to at best say "Stupid
> computer! Remember what I've told you!" and at worst get confused and
> think that the OpenID identifier they entered was not correct.
> 
>   * As has often been raised in both the OpenID-with-email and in the
> Jabber circles, many people are reluctant to give up their email
> addresses to the public eye for fear of spam. Note that Yahoo.com will,
> by default, use a big opaque string as an identifier rather than the
> user's Yahoo! account name for this very reason.
> 
> 
> 
> 
> ***********************************************************************
> **
> This communication, including attachments, is
> for the exclusive use of addressee and may contain proprietary,
> confidential and/or privileged information.  If you are not the
> intended
> recipient, any use, copying, disclosure, dissemination or distribution
> is
> strictly prohibited.  If you are not the intended recipient, please
> notify
> the sender immediately by return e-mail, delete this communication and
> destroy all copies.
> ***********************************************************************
> **
> 
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
> 



From hexayurt at gmail.com  Wed Apr  9 11:27:22 2008
From: hexayurt at gmail.com (Vinay Gupta)
Date: Wed, 9 Apr 2008 20:27:22 +0200
Subject: Google OpenID is now live
In-Reply-To: <ce0d6bdf0804091045l4c463875qf9717f27b8e861ea@mail.gmail.com>
References: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>
	<47FCAD5F.1020701@rogers.com>
	<1a338f430804090609m654a6ee3p525796f0771e6624@mail.gmail.com>
	<ce0d6bdf0804091045l4c463875qf9717f27b8e861ea@mail.gmail.com>
Message-ID: <5CFBA7EB-D57F-4992-BA61-AE9876769E4C@gmail.com>


I think that kind of misses the point. The *namespace* that google  
manages is now open for business as an OpenID provider. It's an  
unanticipated side-effect of the APIs.

I think it's kind of a big deal, actually, in terms of how OpenID is  
right from an engineering perspective and how it can spread in  
unexpected ways. If only login were so easy.

Vinay







-- 
Vinay Gupta - Designer, Hexayurt Project - an excellent public domain  
refugee shelter system
Gizmo Project VOIP: 775-743-1851 (usually  
works!)                       http://hexayurt.com/
Cell: Iceland (+354) 869-4605                                     
Skype/Gizmo/Gtalk: hexayurt
People with courage and character always seem sinister to the  
rest              Herman Hesse


On Apr 9, 2008, at 7:45 PM, John Ehn wrote:

> I agree.  I think this is an excellent technology demonstration,  
> but it is a third-party, not Google, that is enabling the ID.
>
> John
>
> 2008/4/9 Immad Akhund <i.akhund at gmail.com>:
> When Google eventually does make a proper OpenID provider all the  
> OpenIDs provided by openid-provider.appspot.com would not match.
>
> Would get very confusing apart from advanced users that understand  
> the distinction.
>
> Immad
>
>
> On Wed, Apr 9, 2008 at 12:49 PM, Paul Madsen  
> <paulmadsen at rogers.com> wrote:
> I expect Google might have a (legal) opinion on characterizing this
> application as 'Google OpenID'
>
> I think I'll wait for Google itself to enable my Gmail as an OpenID.
>
> paul
>
> Vinay Gupta wrote:
> > http://openid-provider.appspot.com/
> >
> > Somebody used their app hosting service and implemented an OpenID
> > provider.
> >
> > That kind of changes things, doesn't it?
> >
> > Vinay
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > Vinay Gupta - Designer, Hexayurt Project - an excellent public  
> domain
> > refugee shelter system
> > Gizmo Project VOIP: 775-743-1851 (usually works!)
> >  http://hexayurt.com/
> > Cell: Iceland (+354) 869-4605
> >  Skype/Gizmo/Gtalk: hexayurt
> > People with courage and character always seem sinister to the rest
> >           Herman Hesse
> >
> >
> >  
> ---------------------------------------------------------------------- 
> --
> >
> > _______________________________________________
> > specs mailing list
> > specs at openid.net
> > http://openid.net/mailman/listinfo/specs
> >
> >  
> ---------------------------------------------------------------------- 
> --
> >
> > No virus found in this incoming message.
> > Checked by AVG.
> > Version: 7.5.519 / Virus Database: 269.22.9/1365 - Release Date:  
> 4/8/2008 7:30 AM
> >
>
> --
> Paul Madsen            e:paulmadsen @ ntt-at.com
> NTT                    p:613-482-0432
>                       m:613-282-8647
>                       aim:PaulMdsn5
>                       web:connectid.blogspot.com
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>
>
> -- 
> Cell: +1 617 460 7271
> Skype: i.akhund
> Blog: http://immadsnewworld.com
>
> Clickpass, CTO
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080409/e4f92c45/attachment.htm 

From paulmadsen at rogers.com  Wed Apr  9 11:36:04 2008
From: paulmadsen at rogers.com (Paul Madsen)
Date: Wed, 09 Apr 2008 14:36:04 -0400
Subject: Google OpenID is now live
In-Reply-To: <5CFBA7EB-D57F-4992-BA61-AE9876769E4C@gmail.com>
References: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>	<47FCAD5F.1020701@rogers.com>	<1a338f430804090609m654a6ee3p525796f0771e6624@mail.gmail.com>	<ce0d6bdf0804091045l4c463875qf9717f27b8e861ea@mail.gmail.com>
	<5CFBA7EB-D57F-4992-BA61-AE9876769E4C@gmail.com>
Message-ID: <47FD0C94.4000403@rogers.com>

if and when Google manages its own namespace as OpenIDs, I hope they 
provide more consistent QoS - I havent seen this one work yet

paul

Vinay Gupta wrote:
>
> I think that kind of misses the point. The *namespace* that google 
> manages is now open for business as an OpenID provider. It's an 
> unanticipated side-effect of the APIs.
>
> I think it's kind of a big deal, actually, in terms of how OpenID is 
> right from an engineering perspective and how it can spread in 
> unexpected ways. If only login were so easy.
>
> Vinay
>
>
>
>
>
>
>
> -- 
> Vinay Gupta - Designer, Hexayurt Project - an excellent public domain 
> refugee shelter system
> Gizmo Project VOIP: 775-743-1851 (usually works!)                      
>  http://hexayurt.com/
> Cell: Iceland (+354) 869-4605                                   
>  Skype/Gizmo/Gtalk: hexayurt 
> People with courage and character always seem sinister to the rest    
>           Herman Hesse
>
>
> On Apr 9, 2008, at 7:45 PM, John Ehn wrote:
>> I agree.  I think this is an excellent technology demonstration, but 
>> it is a third-party, not Google, that is enabling the ID.
>>  
>> John
>>
>> 2008/4/9 Immad Akhund <i.akhund at gmail.com <mailto:i.akhund at gmail.com>>:
>>
>>     When Google eventually does make a proper OpenID provider all the
>>     OpenIDs provided by openid-provider.appspot.com
>>     <http://openid-provider.appspot.com/> would not match.
>>
>>     Would get very confusing apart from advanced users that
>>     understand the distinction.
>>
>>     Immad
>>
>>
>>     On Wed, Apr 9, 2008 at 12:49 PM, Paul Madsen
>>     <paulmadsen at rogers.com <mailto:paulmadsen at rogers.com>> wrote:
>>
>>         I expect Google might have a (legal) opinion on
>>         characterizing this
>>         application as 'Google OpenID'
>>
>>         I think I'll wait for Google itself to enable my Gmail as an
>>         OpenID.
>>
>>         paul
>>
>>         Vinay Gupta wrote:
>>         > http://openid-provider.appspot.com/
>>         >
>>         > Somebody used their app hosting service and implemented an
>>         OpenID
>>         > provider.
>>         >
>>         > That kind of changes things, doesn't it?
>>         >
>>         > Vinay
>>         >
>>         >
>>         >
>>         >
>>         >
>>         >
>>         >
>>         >
>>         > --
>>         > Vinay Gupta - Designer, Hexayurt Project - an excellent
>>         public domain
>>         > refugee shelter system
>>         > Gizmo Project VOIP: 775-743-1851 (usually works!)
>>         >  http://hexayurt.com/
>>         > Cell: Iceland (+354) 869-4605
>>         >  Skype/Gizmo/Gtalk: hexayurt
>>         > People with courage and character always seem sinister to
>>         the rest
>>         >           Herman Hesse
>>         >
>>         >
>>         >
>>         ------------------------------------------------------------------------
>>         >
>>         > _______________________________________________
>>         > specs mailing list
>>         > specs at openid.net <mailto:specs at openid.net>
>>         > http://openid.net/mailman/listinfo/specs
>>         >
>>         >
>>         ------------------------------------------------------------------------
>>         >
>>         > No virus found in this incoming message.
>>         > Checked by AVG.
>>         > Version: 7.5.519 / Virus Database: 269.22.9/1365 - Release
>>         Date: 4/8/2008 7:30 AM
>>         >
>>
>>         --
>>         Paul Madsen            e:paulmadsen @ ntt-at.com
>>         <http://ntt-at.com/>
>>         NTT                    p:613-482-0432
>>                               m:613-282-8647
>>                               aim:PaulMdsn5
>>                               web:connectid.blogspot.com
>>         <http://connectid.blogspot.com/>
>>
>>         _______________________________________________
>>         specs mailing list
>>         specs at openid.net <mailto:specs at openid.net>
>>         http://openid.net/mailman/listinfo/specs
>>
>>
>>
>>
>>     -- 
>>     Cell: +1 617 460 7271
>>     Skype: i.akhund
>>     Blog: http://immadsnewworld.com <http://immadsnewworld.com/>
>>
>>     Clickpass, CTO
>>     _______________________________________________
>>     specs mailing list
>>     specs at openid.net <mailto:specs at openid.net>
>>     http://openid.net/mailman/listinfo/specs
>>
>>
>> _______________________________________________
>> specs mailing list
>> specs at openid.net <mailto:specs at openid.net>
>> http://openid.net/mailman/listinfo/specs
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>   
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG. 
> Version: 7.5.519 / Virus Database: 269.22.10/1367 - Release Date: 4/9/2008 7:10 AM
>   

-- 
Paul Madsen            e:paulmadsen @ ntt-at.com
NTT                    p:613-482-0432
                       m:613-282-8647
                       aim:PaulMdsn5
                       web:connectid.blogspot.com 


From jpanzer at acm.org  Wed Apr  9 22:47:51 2008
From: jpanzer at acm.org (John Panzer)
Date: Wed, 09 Apr 2008 22:47:51 -0700
Subject: Google OpenID is now live
In-Reply-To: <5CFBA7EB-D57F-4992-BA61-AE9876769E4C@gmail.com>
References: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>	<47FCAD5F.1020701@rogers.com>	<1a338f430804090609m654a6ee3p525796f0771e6624@mail.gmail.com>	<ce0d6bdf0804091045l4c463875qf9717f27b8e861ea@mail.gmail.com>
	<5CFBA7EB-D57F-4992-BA61-AE9876769E4C@gmail.com>
Message-ID: <47FDAA07.3000800@acm.org>

Any sufficiently advanced web site system is indistinguishable from an OP.

Or, rather, can be turned into an OP. :)

Vinay Gupta wrote:
>
> I think that kind of misses the point. The *namespace* that google 
> manages is now open for business as an OpenID provider. It's an 
> unanticipated side-effect of the APIs.
>
> I think it's kind of a big deal, actually, in terms of how OpenID is 
> right from an engineering perspective and how it can spread in 
> unexpected ways. If only login were so easy.
>
> Vinay
>
>
>
>
>
>
>
> -- 
> Vinay Gupta - Designer, Hexayurt Project - an excellent public domain 
> refugee shelter system
> Gizmo Project VOIP: 775-743-1851 (usually works!)                      
>  http://hexayurt.com/
> Cell: Iceland (+354) 869-4605                                   
>  Skype/Gizmo/Gtalk: hexayurt 
> People with courage and character always seem sinister to the rest    
>           Herman Hesse
>
>
> On Apr 9, 2008, at 7:45 PM, John Ehn wrote:
>> I agree.  I think this is an excellent technology demonstration, but 
>> it is a third-party, not Google, that is enabling the ID.
>>  
>> John
>>
>> 2008/4/9 Immad Akhund <i.akhund at gmail.com <mailto:i.akhund at gmail.com>>:
>>
>>     When Google eventually does make a proper OpenID provider all the
>>     OpenIDs provided by openid-provider.appspot.com
>>     <http://openid-provider.appspot.com/> would not match.
>>
>>     Would get very confusing apart from advanced users that
>>     understand the distinction.
>>
>>     Immad
>>
>>
>>     On Wed, Apr 9, 2008 at 12:49 PM, Paul Madsen
>>     <paulmadsen at rogers.com <mailto:paulmadsen at rogers.com>> wrote:
>>
>>         I expect Google might have a (legal) opinion on
>>         characterizing this
>>         application as 'Google OpenID'
>>
>>         I think I'll wait for Google itself to enable my Gmail as an
>>         OpenID.
>>
>>         paul
>>
>>         Vinay Gupta wrote:
>>         > http://openid-provider.appspot.com/
>>         >
>>         > Somebody used their app hosting service and implemented an
>>         OpenID
>>         > provider.
>>         >
>>         > That kind of changes things, doesn't it?
>>         >
>>         > Vinay
>>         >
>>         >
>>         >
>>         >
>>         >
>>         >
>>         >
>>         >
>>         > --
>>         > Vinay Gupta - Designer, Hexayurt Project - an excellent
>>         public domain
>>         > refugee shelter system
>>         > Gizmo Project VOIP: 775-743-1851 (usually works!)
>>         >  http://hexayurt.com/
>>         > Cell: Iceland (+354) 869-4605
>>         >  Skype/Gizmo/Gtalk: hexayurt
>>         > People with courage and character always seem sinister to
>>         the rest
>>         >           Herman Hesse
>>         >
>>         >
>>         >
>>         ------------------------------------------------------------------------
>>         >
>>         > _______________________________________________
>>         > specs mailing list
>>         > specs at openid.net <mailto:specs at openid.net>
>>         > http://openid.net/mailman/listinfo/specs
>>         >
>>         >
>>         ------------------------------------------------------------------------
>>         >
>>         > No virus found in this incoming message.
>>         > Checked by AVG.
>>         > Version: 7.5.519 / Virus Database: 269.22.9/1365 - Release
>>         Date: 4/8/2008 7:30 AM
>>         >
>>
>>         --
>>         Paul Madsen            e:paulmadsen @ ntt-at.com
>>         <http://ntt-at.com/>
>>         NTT                    p:613-482-0432
>>                               m:613-282-8647
>>                               aim:PaulMdsn5
>>                               web:connectid.blogspot.com
>>         <http://connectid.blogspot.com/>
>>
>>         _______________________________________________
>>         specs mailing list
>>         specs at openid.net <mailto:specs at openid.net>
>>         http://openid.net/mailman/listinfo/specs
>>
>>
>>
>>
>>     -- 
>>     Cell: +1 617 460 7271
>>     Skype: i.akhund
>>     Blog: http://immadsnewworld.com <http://immadsnewworld.com/>
>>
>>     Clickpass, CTO
>>     _______________________________________________
>>     specs mailing list
>>     specs at openid.net <mailto:specs at openid.net>
>>     http://openid.net/mailman/listinfo/specs
>>
>>
>> _______________________________________________
>> specs mailing list
>> specs at openid.net <mailto:specs at openid.net>
>> http://openid.net/mailman/listinfo/specs
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080409/4e217c91/attachment.htm 

From james at jamesh.id.au  Thu Apr 10 00:40:50 2008
From: james at jamesh.id.au (James Henstridge)
Date: Thu, 10 Apr 2008 15:40:50 +0800
Subject: Google OpenID is now live
In-Reply-To: <5CFBA7EB-D57F-4992-BA61-AE9876769E4C@gmail.com>
References: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>
	<47FCAD5F.1020701@rogers.com>
	<1a338f430804090609m654a6ee3p525796f0771e6624@mail.gmail.com>
	<ce0d6bdf0804091045l4c463875qf9717f27b8e861ea@mail.gmail.com>
	<5CFBA7EB-D57F-4992-BA61-AE9876769E4C@gmail.com>
Message-ID: <a7e835d40804100040q16dbf189x36f43bf64c1812c7@mail.gmail.com>

On 10/04/2008, Vinay Gupta <hexayurt at gmail.com> wrote:
> I think that kind of misses the point. The *namespace* that google manages
> is now open for business as an OpenID provider. It's an unanticipated
> side-effect of the APIs.
>
> I think it's kind of a big deal, actually, in terms of how OpenID is right
> from an engineering perspective and how it can spread in unexpected ways. If
> only login were so easy.

This service seems pretty much equivalent to Simon Willison's
idproxy.net service for Yahoo accounts.

The big difference between this sort of service and actial OpenID
Provider support from Google/Yahoo is a matter of trust.

With an OP run by Google, the user needs to trust Google.  With this
OP, the user needs to trust whoever is running the OP not to
impersonate them.  Given the lack of contact information, I'd be
hesitant to use identities managed by that service and would not
recommend others rely on it.

James.

From brad at danga.com  Thu Apr 10 06:52:44 2008
From: brad at danga.com (Brad Fitzpatrick)
Date: Thu, 10 Apr 2008 06:52:44 -0700
Subject: Google OpenID is now live
In-Reply-To: <a7e835d40804100040q16dbf189x36f43bf64c1812c7@mail.gmail.com>
References: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>
	<47FCAD5F.1020701@rogers.com>
	<1a338f430804090609m654a6ee3p525796f0771e6624@mail.gmail.com>
	<ce0d6bdf0804091045l4c463875qf9717f27b8e861ea@mail.gmail.com>
	<5CFBA7EB-D57F-4992-BA61-AE9876769E4C@gmail.com>
	<a7e835d40804100040q16dbf189x36f43bf64c1812c7@mail.gmail.com>
Message-ID: <1076e6c00804100652h782c6b96n25cba25d5ff828d6@mail.gmail.com>

On Thu, Apr 10, 2008 at 12:40 AM, James Henstridge <james at jamesh.id.au>
wrote:

> On 10/04/2008, Vinay Gupta <hexayurt at gmail.com> wrote:
> > I think that kind of misses the point. The *namespace* that google
> manages
> > is now open for business as an OpenID provider. It's an unanticipated
> > side-effect of the APIs.
> >
> > I think it's kind of a big deal, actually, in terms of how OpenID is
> right
> > from an engineering perspective and how it can spread in unexpected
> ways. If
> > only login were so easy.
>
> This service seems pretty much equivalent to Simon Willison's
> idproxy.net service for Yahoo accounts.
>
> The big difference between this sort of service and actial OpenID
> Provider support from Google/Yahoo is a matter of trust.
>
> With an OP run by Google, the user needs to trust Google.  With this
> OP, the user needs to trust whoever is running the OP not to
> impersonate them.  Given the lack of contact information, I'd be
> hesitant to use identities managed by that service and would not
> recommend others rely on it.


James,

openid-provider.appspot.com was written by a Google engineer, Ryan Barrett,
who also did most the work (including all the initial work) on Blogger's
OpenID support:

References:

http://appgallery.appspot.com/about_app?app_id=agphcHBnYWxsZXJ5chMLEgxBcHBsaWNhdGlvbnMYrwIM
http://snarfed.org/space/2008-04-07_google_app_engine_launched
http://snarfed.org/space/2007-12-02_openid_comments_in_blogger

Further, App Engine apps don't process user credentials directly.  They go
through an OpenID-like auth process with Google, who actually processes the
email/password and tells the App Engine app that somebody logged in, at what
email.  You can verify this yourself by looking at the form targets and HTTP
traffic.  See:

http://code.google.com/appengine/docs/users/

So I'd say you can pretty much trust an openid-provider.a.com assertion that
the person has a Google account.   But like others have said, it's not an
official Google product.

Brad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080410/188f08ff/attachment.htm 

From james at jamesh.id.au  Thu Apr 10 07:55:08 2008
From: james at jamesh.id.au (James Henstridge)
Date: Thu, 10 Apr 2008 22:55:08 +0800
Subject: Google OpenID is now live
In-Reply-To: <1076e6c00804100652h782c6b96n25cba25d5ff828d6@mail.gmail.com>
References: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>
	<47FCAD5F.1020701@rogers.com>
	<1a338f430804090609m654a6ee3p525796f0771e6624@mail.gmail.com>
	<ce0d6bdf0804091045l4c463875qf9717f27b8e861ea@mail.gmail.com>
	<5CFBA7EB-D57F-4992-BA61-AE9876769E4C@gmail.com>
	<a7e835d40804100040q16dbf189x36f43bf64c1812c7@mail.gmail.com>
	<1076e6c00804100652h782c6b96n25cba25d5ff828d6@mail.gmail.com>
Message-ID: <a7e835d40804100755jb82e2f3ndfd31bde01604487@mail.gmail.com>

On 10/04/2008, Brad Fitzpatrick <brad at danga.com> wrote:
> On Thu, Apr 10, 2008 at 12:40 AM, James Henstridge <james at jamesh.id.au>
> wrote:
>
> >
> > On 10/04/2008, Vinay Gupta <hexayurt at gmail.com> wrote:
> > > I think that kind of misses the point. The *namespace* that google
> manages
> > > is now open for business as an OpenID provider. It's an unanticipated
> > > side-effect of the APIs.
> > >
> > > I think it's kind of a big deal, actually, in terms of how OpenID is
> right
> > > from an engineering perspective and how it can spread in unexpected
> ways. If
> > > only login were so easy.
> >
> > This service seems pretty much equivalent to Simon Willison's
> > idproxy.net service for Yahoo accounts.
> >
> > The big difference between this sort of service and actial OpenID
> > Provider support from Google/Yahoo is a matter of trust.
> >
> > With an OP run by Google, the user needs to trust Google.  With this
> > OP, the user needs to trust whoever is running the OP not to
> > impersonate them.  Given the lack of contact information, I'd be
> > hesitant to use identities managed by that service and would not
> > recommend others rely on it.
>
> James,
>
> openid-provider.appspot.com was written by a Google engineer, Ryan Barrett,
> who also did most the work (including all the initial work) on Blogger's
> OpenID support:
>
> References:
>
> http://appgallery.appspot.com/about_app?app_id=agphcHBnYWxsZXJ5chMLEgxBcHBsaWNhdGlvbnMYrwIM
> http://snarfed.org/space/2008-04-07_google_app_engine_launched
> http://snarfed.org/space/2007-12-02_openid_comments_in_blogger

Okay.  It wasn't clear who was running the service just by looking at
the URL originally posted.


> Further, App Engine apps don't process user credentials directly.  They go
> through an OpenID-like auth process with Google, who actually processes the
> email/password and tells the App Engine app that somebody logged in, at what
> email.  You can verify this yourself by looking at the form targets and HTTP
> traffic.  See:
>
> http://code.google.com/appengine/docs/users/
>
> So I'd say you can pretty much trust an openid-provider.a.com assertion that
> the person has a Google account.   But like others have said, it's not an
> official Google product.

I realise that Google's authsub service doesn't reveal a user's email
+ password to the relying site (in this case
openid-provider.appspot.com).  If you are using an OpenID provider
that I control, you are trusting me not to add a backdoor that lets me
authenticate to RPs as your identity URL.  And given the way OpenID
works, I'd have a pretty good idea of which RPs to go after.

Based on the info in the links you provided it is probably safe to
trust the site not to do these things, but it is not clear from the
information on that site alone.

James.

From peter.davis at neustar.biz  Fri Apr 11 05:38:53 2008
From: peter.davis at neustar.biz (Peter Davis)
Date: Fri, 11 Apr 2008 08:38:53 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <03c001c89a6d$7d1f86b0$775e9410$@com>
References: <mailman.1.1207594802.11479.specs@openid.net>
	<9C557D8C6864CA438EF362318A3DF6D56491D4@AD1HFDEXC306.ad1.prod>
	<03c001c89a6d$7d1f86b0$775e9410$@com>
Message-ID: <C7BE5106-CA72-4C9B-94EA-73ABD74A0557@neustar.biz>

this discussion, of course, has happened before:

http://openid.net/pipermail/specs/2008-January/002104.html

And paul is correct, IMHO... NAPTR is a better and more flexible way  
to address this.  The original proposal had regex expressions in TXT  
RRs.  which, while not improper, does not have a resolver code base  
to draw from, and some well-laid groundwork for regex processing  
libraries for resolvers to use.

on the other hand, i've never want to use my email address as my  
openID, and you'd have to write a new profile which allowed the OP/RP  
to understand i can prove ownership of the identifier.

=peterd

On Apr 9, 2008, at 2:14 PM, Paul E. Jones wrote:
> James,
>
> I don't think we need SRV records to do this.  NAPTR would suffice,  
> as that
> would allow one to transform one string into another.
>
> But, it seems that there is an overwhelming preference for using  
> some kind
> of string of undetermined structure to identify a user which is not  
> of an
> e-mail format.  (I know there is an intent to use a URI, but most  
> users have
> no idea what a URI is and few really type them properly.)
>
> So, while I still think the form user at provider is better for the user
> world-wide community, I understand the counter-arguments.  And,  
> perhaps I'll
> be proven wrong-- which is OK.
>
> Paul
>
>> -----Original Message-----
>> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
>> Behalf Of McGovern, James F (HTSC, IT)
>> Sent: Monday, April 07, 2008 3:21 PM
>> To: specs at openid.net
>> Subject: Using email address as OpenID identifier
>>
>> This would require defining an OpenID SRV record in DNS. Would make
>> sense for someone to get this formally defined as part of IETF. Could
>> kinda be done in the same way that Boeing is moving forward  
>> definition
>> of XRI in LDAP..
>>
>> -----Original Message-----
>>
>> Message: 1
>> Date: Mon, 07 Apr 2008 18:56:57 +0100
>> From: Martin Atkins <mart at degeneration.co.uk>
>> Subject: Re: Using email address as OpenID identifier
>> To: specs at openid.net
>> Message-ID: <47FA6069.1040800 at degeneration.co.uk>
>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>> Paul E. Jones wrote:
>>>
>>> Perhaps it is important to say, though, that I do not think it
>>> requires the e-mail providers to get on board with this (in my view)
>>> simpler notation.  I could use an ID like paulej at myopenid.com and
>> that
>>
>>> should work, if myopenid.com would publish the appropriate NAPTR
>>> record.  I could also insert NAPTR records into the packetizer.com
>> DNS
>>
>>> server that would allow me to use my email address, but point at my
>>> preferred OpenID provider.  In short, just because the user at domain
>>> syntax is used does not mean that it necessarily an e-mail address:
>> it
>>
>>> could be, but more importantly, it just follows that familiar format
>> documented in RFC 822.
>>>
>>
>> Funnily enough, I've always percieved the fact that syntactically- 
>> valid
>> but non-existant email addresses are being used as identifiers as a
>> problem rather than a benefit:
>>
>>   * It creates confusion for users when something looks like an email
>> address but it doesn't behave as one. I've seen this sort of  
>> confusion
>> with Jabber servers, where users get confused that their Jabber ID  
>> and
>> email address are not the same, especially when Jabber clients say  
>> "For
>> example, user at example.com" under the Jabber ID field.
>>
>>   * If not all email-shaped OpenID identifiers are actually working
>> mailboxes, it's likely to lead to a distressing user experience where
>> the user is first asked to enter their OpenID identifier -- that is,
>> their email address -- and then they're asked to enter and verify  
>> their
>> email address. At this point, I expect users to at best say "Stupid
>> computer! Remember what I've told you!" and at worst get confused and
>> think that the OpenID identifier they entered was not correct.
>>
>>   * As has often been raised in both the OpenID-with-email and in the
>> Jabber circles, many people are reluctant to give up their email
>> addresses to the public eye for fear of spam. Note that Yahoo.com  
>> will,
>> by default, use a big opaque string as an identifier rather than the
>> user's Yahoo! account name for this very reason.
>>
>>
>>
>>
>> ********************************************************************* 
>> **
>> **
>> This communication, including attachments, is
>> for the exclusive use of addressee and may contain proprietary,
>> confidential and/or privileged information.  If you are not the
>> intended
>> recipient, any use, copying, disclosure, dissemination or  
>> distribution
>> is
>> strictly prohibited.  If you are not the intended recipient, please
>> notify
>> the sender immediately by return e-mail, delete this communication  
>> and
>> destroy all copies.
>> ********************************************************************* 
>> **
>> **
>>
>> _______________________________________________
>> specs mailing list
>> specs at openid.net
>> http://openid.net/mailman/listinfo/specs
>>
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs


From joseph at josephholsten.com  Fri Apr 11 15:20:58 2008
From: joseph at josephholsten.com (Joseph Holsten)
Date: Fri, 11 Apr 2008 17:20:58 -0500
Subject: Using email address as OpenID identifier
In-Reply-To: <C7BE5106-CA72-4C9B-94EA-73ABD74A0557@neustar.biz>
References: <mailman.1.1207594802.11479.specs@openid.net>
	<9C557D8C6864CA438EF362318A3DF6D56491D4@AD1HFDEXC306.ad1.prod>
	<03c001c89a6d$7d1f86b0$775e9410$@com>
	<C7BE5106-CA72-4C9B-94EA-73ABD74A0557@neustar.biz>
Message-ID: <b04855110804111520x280d6997y49c2a39b41350ac1@mail.gmail.com>

I really wish everyone would stop calling these identifiers "email
addresses." They're no more email addresses than xmpp: uris.

You aren't going to change the email standards. You will not forcibly
require email servers to recognize xrds discovery. All you're going to
get is an identifier that looks something like an email.

You may as well say that you're using jabber addresses as openids. I'm
going to stop saying you're actually speaking of XRDS document
discovery, since that seems to be over everyones head. I'm going to
stop saying the openid list isn't the place for this, since we defer
endpoint discovery to XRI discover 2.0, though we may switch to
XRDS-Simple. But seriously, get off this list.

But for goodness sakes, could you stop calling them email addresses?
They're just email-looking urls, nothing more.Unless you guys are so
crazy as to have a line like "XRDS discovery MUST verify that the
identifier accepts email," you're just not talking about email.

Respectfully and with far to much sarcasm,
http:// Joseph Holsten .com

On Fri, Apr 11, 2008 at 7:38 AM, Peter Davis <peter.davis at neustar.biz> wrote:
> this discussion, of course, has happened before:
>
> http://openid.net/pipermail/specs/2008-January/002104.html
>
> And paul is correct, IMHO... NAPTR is a better and more flexible way
> to address this.  The original proposal had regex expressions in TXT
> RRs.  which, while not improper, does not have a resolver code base
> to draw from, and some well-laid groundwork for regex processing
> libraries for resolvers to use.
>
> on the other hand, i've never want to use my email address as my
> openID, and you'd have to write a new profile which allowed the OP/RP
> to understand i can prove ownership of the identifier.
>
> =peterd
>
>
> On Apr 9, 2008, at 2:14 PM, Paul E. Jones wrote:
> > James,
> >
> > I don't think we need SRV records to do this.  NAPTR would suffice,
> > as that
> > would allow one to transform one string into another.
> >
> > But, it seems that there is an overwhelming preference for using
> > some kind
> > of string of undetermined structure to identify a user which is not
> > of an
> > e-mail format.  (I know there is an intent to use a URI, but most
> > users have
> > no idea what a URI is and few really type them properly.)
> >
> > So, while I still think the form user at provider is better for the user
> > world-wide community, I understand the counter-arguments.  And,
> > perhaps I'll
> > be proven wrong-- which is OK.
> >
> > Paul
> >
> >> -----Original Message-----
> >> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
> >> Behalf Of McGovern, James F (HTSC, IT)
> >> Sent: Monday, April 07, 2008 3:21 PM
> >> To: specs at openid.net
> >> Subject: Using email address as OpenID identifier
> >>
> >> This would require defining an OpenID SRV record in DNS. Would make
> >> sense for someone to get this formally defined as part of IETF. Could
> >> kinda be done in the same way that Boeing is moving forward
> >> definition
> >> of XRI in LDAP..
> >>
> >> -----Original Message-----
> >>
> >> Message: 1
> >> Date: Mon, 07 Apr 2008 18:56:57 +0100
> >> From: Martin Atkins <mart at degeneration.co.uk>
> >> Subject: Re: Using email address as OpenID identifier
> >> To: specs at openid.net
> >> Message-ID: <47FA6069.1040800 at degeneration.co.uk>
> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> >>
> >> Paul E. Jones wrote:
> >>>
> >>> Perhaps it is important to say, though, that I do not think it
> >>> requires the e-mail providers to get on board with this (in my view)
> >>> simpler notation.  I could use an ID like paulej at myopenid.com and
> >> that
> >>
> >>> should work, if myopenid.com would publish the appropriate NAPTR
> >>> record.  I could also insert NAPTR records into the packetizer.com
> >> DNS
> >>
> >>> server that would allow me to use my email address, but point at my
> >>> preferred OpenID provider.  In short, just because the user at domain
> >>> syntax is used does not mean that it necessarily an e-mail address:
> >> it
> >>
> >>> could be, but more importantly, it just follows that familiar format
> >> documented in RFC 822.
> >>>
> >>
> >> Funnily enough, I've always percieved the fact that syntactically-
> >> valid
> >> but non-existant email addresses are being used as identifiers as a
> >> problem rather than a benefit:
> >>
> >>   * It creates confusion for users when something looks like an email
> >> address but it doesn't behave as one. I've seen this sort of
> >> confusion
> >> with Jabber servers, where users get confused that their Jabber ID
> >> and
> >> email address are not the same, especially when Jabber clients say
> >> "For
> >> example, user at example.com" under the Jabber ID field.
> >>
> >>   * If not all email-shaped OpenID identifiers are actually working
> >> mailboxes, it's likely to lead to a distressing user experience where
> >> the user is first asked to enter their OpenID identifier -- that is,
> >> their email address -- and then they're asked to enter and verify
> >> their
> >> email address. At this point, I expect users to at best say "Stupid
> >> computer! Remember what I've told you!" and at worst get confused and
> >> think that the OpenID identifier they entered was not correct.
> >>
> >>   * As has often been raised in both the OpenID-with-email and in the
> >> Jabber circles, many people are reluctant to give up their email
> >> addresses to the public eye for fear of spam. Note that Yahoo.com
> >> will,
> >> by default, use a big opaque string as an identifier rather than the
> >> user's Yahoo! account name for this very reason.
> >>
> >>
> >>
> >>
> >> *********************************************************************
> >> **
> >> **
> >> This communication, including attachments, is
> >> for the exclusive use of addressee and may contain proprietary,
> >> confidential and/or privileged information.  If you are not the
> >> intended
> >> recipient, any use, copying, disclosure, dissemination or
> >> distribution
> >> is
> >> strictly prohibited.  If you are not the intended recipient, please
> >> notify
> >> the sender immediately by return e-mail, delete this communication
> >> and
> >> destroy all copies.
> >> *********************************************************************
> >> **
> >> **
> >>
> >> _______________________________________________
> >> specs mailing list
> >> specs at openid.net
> >> http://openid.net/mailman/listinfo/specs
> >>
> >
> >
> > _______________________________________________
> > specs mailing list
> > specs at openid.net
> > http://openid.net/mailman/listinfo/specs
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>

From Michael.Jones at microsoft.com  Fri Apr 25 13:35:41 2008
From: Michael.Jones at microsoft.com (Mike Jones)
Date: Fri, 25 Apr 2008 13:35:41 -0700
Subject: Proposal to create the PAPE working group
Message-ID: <C11F8A453DFFBE49A9F0D75873F5544607D14316@NA-EXMSG-C118.redmond.corp.microsoft.com>

In accordance with the OpenID Foundation IPR policies and procedures<http://openid.net/foundation/intellectual-property/> this note proposes the formation of a new working group chartered to produce an OpenID specification.  As per Section 4.1 of the Policies, the specifics of the proposed working group are:

Proposal:
(a)  Charter.
                (i)  WG name:  Provider Authentication Policy Extension (PAPE)
                (ii)  Purpose:  Produce a standard OpenID extension to the OpenID Authentication protocol that:  provides a mechanism by which a Relying Party can request that particular authentication policies be applied by the OpenID Provider when authenticating an End User and provides a mechanism by which an OpenID Provider may inform a Relying Party which authentication policies were used. Thus a Relying Party can request that the End User authenticate, for example, using a phishing-resistant and/or multi-factor authentication method.
                (iii)  Scope:  Produce a revision of the PAPE 1.0 Draft 2 specification that clarifies its intent, while maintaining compatibility for existing Draft 2 implementations.  Adding any support for communicating requests for or the use of specific authentication methods (as opposed to authentication policies) is explicitly out of scope.
                (iv)  Proposed List of Specifications:  Provider Authentication Policy Extension 1.0, spec completion expected during May 2008.
                (v)  Anticipated audience or users of the work:  Implementers of OpenID Providers and Relying Parties ? especially those interested in mitigating the phishing vulnerabilities of logging into OpenID providers with passwords.
                (vi)  Language in which the WG will conduct business:  English.
                (vii)  Method of work:  E-mail discussions on the working group mailing list, working group conference calls, and possibly a face-to-face meeting at the Internet Identity Workshop.
                (viii)  Basis for determining when the work of the WG is completed:  Proposed changes to draft 2 will be evaluated on the basis of whether they increase or decrease consensus within the working group.  The work will be completed once it is apparent that maximal consensus on the draft has been achieved, consistent with the purpose and scope.
(b)  Background Information.
                (i)  Related work being done in other WGs or organizations:  (1) Assurance Levels as defined by the National Institute of Standards and Technology (NIST) in Special Publication 800-63 (Burr, W., Dodson, D., and W. Polk, Ed., ?Electronic Authentication Guideline,? April 2006.) [NIST_SP800?63].  This working group is needed to enable authentication policy statements to be exchanged by OpenID endpoints.  No coordination is needed with NIST, as the PAPE specification uses elements of the NIST specification in the intended fashion.
                (ii)  Proposers:
                                Michael B. Jones, mbj at microsoft.com<mailto:mbj at microsoft.com>, Microsoft Corporation
                                David Recordon, drecordon at sixapart.com<mailto:drecordon at sixapart.com>, Six Apart Corporation
                                Ben Laurie, benl at google.com<mailto:benl at google.com>, Google Corporation
                                Drummond Reed, drummond.reed at cordance.net<mailto:drummond.reed at cordance.net>, Cordance Corporation
                                John Bradley, john.bradley at wingaa.com<mailto:john.bradley at wingaa.com>, Wingaa Corporation
                                Johnny Bufu, johnny.bufu at gmail.com<mailto:johnny.bufu at gmail.com>, Independent
Editors:
                                Michael B. Jones, mbj at microsoft.com<mailto:mbj at microsoft.com>, Microsoft Corporation
                                David Recordon, drecordon at sixapart.com<mailto:drecordon at sixapart.com>, Six Apart Corporation
                (iii)  Anticipated Contributions:  None.

====

(The rest of this note is informational and not part of the proposal to create an OpenID working group.)

Given that the OpenID specification procedures call for votes of the membership, this would be a good time for those wanting to influence the outcome of this specification to join the OpenID Foundation.  You can do so at http://openid.net/foundation/join/.  Should you wish to join the working group, you will also need to execute the Contribution Agreement at http://openid.net/foundation/intellectual-property/ once the working group formation has been approved by the membership.  After the Specifications Council has responded to this request to create a working group (which must happen within 15 days) a separate message will be sent asking those of you who are OpenID members to vote on the working group creation, containing instructions for how to do so.

                                                                -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080425/9d050a8d/attachment.htm 

From hans at granqvist.com  Sat Apr 26 09:45:35 2008
From: hans at granqvist.com (Hans Granqvist)
Date: Sat, 26 Apr 2008 09:45:35 -0700
Subject: Proposal to create the PAPE working group
In-Reply-To: <C11F8A453DFFBE49A9F0D75873F5544607D14316@NA-EXMSG-C118.redmond.corp.microsoft.com>
References: <C11F8A453DFFBE49A9F0D75873F5544607D14316@NA-EXMSG-C118.redmond.corp.microsoft.com>
Message-ID: <c47f68be0804260945me28843xeb9907317e3f4a55@mail.gmail.com>

The membership application forms seem to be missing from
http://openid.net/foundation/join/.
Can someone look into it?

Thanks,
Hans



2008/4/25 Mike Jones <Michael.Jones at microsoft.com>:
>
>
>
>
> In accordance with the OpenID Foundation IPR policies and procedures this
> note proposes the formation of a new working group chartered to produce an
> OpenID specification.  As per Section 4.1 of the Policies, the specifics of
> the proposed working group are:
>
>
>
> Proposal:
>
> (a)  Charter.
>
>                 (i)  WG name:  Provider Authentication Policy Extension
> (PAPE)
>
>                 (ii)  Purpose:  Produce a standard OpenID extension to the
> OpenID Authentication protocol that:  provides a mechanism by which a
> Relying Party can request that particular authentication policies be applied
> by the OpenID Provider when authenticating an End User and provides a
> mechanism by which an OpenID Provider may inform a Relying Party which
> authentication policies were used. Thus a Relying Party can request that the
> End User authenticate, for example, using a phishing-resistant and/or
> multi-factor authentication method.
>
>                 (iii)  Scope:  Produce a revision of the PAPE 1.0 Draft 2
> specification that clarifies its intent, while maintaining compatibility for
> existing Draft 2 implementations.  Adding any support for communicating
> requests for or the use of specific authentication methods (as opposed to
> authentication policies) is explicitly out of scope.
>
>                 (iv)  Proposed List of Specifications:  Provider
> Authentication Policy Extension 1.0, spec completion expected during May
> 2008.
>
>                 (v)  Anticipated audience or users of the work:
> Implementers of OpenID Providers and Relying Parties ? especially those
> interested in mitigating the phishing vulnerabilities of logging into OpenID
> providers with passwords.
>
>                 (vi)  Language in which the WG will conduct business:
> English.
>
>                 (vii)  Method of work:  E-mail discussions on the working
> group mailing list, working group conference calls, and possibly a
> face-to-face meeting at the Internet Identity Workshop.
>
>                 (viii)  Basis for determining when the work of the WG is
> completed:  Proposed changes to draft 2 will be evaluated on the basis of
> whether they increase or decrease consensus within the working group.  The
> work will be completed once it is apparent that maximal consensus on the
> draft has been achieved, consistent with the purpose and scope.
>
> (b)  Background Information.
>
>                 (i)  Related work being done in other WGs or organizations:
> (1) Assurance Levels as defined by the National Institute of Standards and
> Technology (NIST) in Special Publication 800-63 (Burr, W., Dodson, D., and
> W. Polk, Ed., "Electronic Authentication Guideline," April 2006.)
> [NIST_SP800?63].  This working group is needed to enable authentication
> policy statements to be exchanged by OpenID endpoints.  No coordination is
> needed with NIST, as the PAPE specification uses elements of the NIST
> specification in the intended fashion.
>
>                 (ii)  Proposers:
>
>                                 Michael B. Jones, mbj at microsoft.com,
> Microsoft Corporation
>
>                                 David Recordon, drecordon at sixapart.com, Six
> Apart Corporation
>
>                                 Ben Laurie, benl at google.com, Google
> Corporation
>
>                                 Drummond Reed, drummond.reed at cordance.net,
> Cordance Corporation
>
>                                 John Bradley, john.bradley at wingaa.com,
> Wingaa Corporation
>
>                                 Johnny Bufu, johnny.bufu at gmail.com,
> Independent
>
> Editors:
>
>                                 Michael B. Jones, mbj at microsoft.com,
> Microsoft Corporation
>
>                                 David Recordon, drecordon at sixapart.com, Six
> Apart Corporation
>
>                 (iii)  Anticipated Contributions:  None.
>
>
>
> ====
>
>
>
> (The rest of this note is informational and not part of the proposal to
> create an OpenID working group.)
>
>
>
> Given that the OpenID specification procedures call for votes of the
> membership, this would be a good time for those wanting to influence the
> outcome of this specification to join the OpenID Foundation.  You can do so
> at http://openid.net/foundation/join/.  Should you wish to join the working
> group, you will also need to execute the Contribution Agreement at
> http://openid.net/foundation/intellectual-property/ once the working group
> formation has been approved by the membership.  After the Specifications
> Council has responded to this request to create a working group (which must
> happen within 15 days) a separate message will be sent asking those of you
> who are OpenID members to vote on the working group creation, containing
> instructions for how to do so.
>
>
>
>                                                                 -- Mike
>
>
> _______________________________________________
>  specs mailing list
>  specs at openid.net
>  http://openid.net/mailman/listinfo/specs
>
>

From Michael.Jones at microsoft.com  Sat Apr 26 16:20:36 2008
From: Michael.Jones at microsoft.com (Mike Jones)
Date: Sat, 26 Apr 2008 16:20:36 -0700
Subject: Proposal to create the PAPE working group
In-Reply-To: <FAE3218830F17F4BBCBB77F990247D9722EFF64443@NA-EXMSG-C118.redmond.corp.microsoft.com>
References: <FAE3218830F17F4BBCBB77F990247D9722EFF64443@NA-EXMSG-C118.redmond.corp.microsoft.com>
Message-ID: <C11F8A453DFFBE49A9F0D75873F5544607D144CC@NA-EXMSG-C118.redmond.corp.microsoft.com>

I'm pleased to report that Dick Hardt has also added his name to the list of proposers for this working group.  The list is now:
                                Michael B. Jones, mbj at microsoft.com<mailto:mbj at microsoft.com>, Microsoft Corporation
                                David Recordon, drecordon at sixapart.com<mailto:drecordon at sixapart.com>, Six Apart Corporation
                                Ben Laurie, benl at google.com<mailto:benl at google.com>, Google Corporation
                                Drummond Reed, drummond.reed at cordance.net<mailto:drummond.reed at cordance.net>, Cordance Corporation
                                John Bradley, john.bradley at wingaa.com<mailto:john.bradley at wingaa.com>, Wingaa Corporation
                                Johnny Bufu, johnny.bufu at gmail.com<mailto:johnny.bufu at gmail.com>, Independent
                                Dick Hardt, dick at sxip.com<mailto:dick at sxip.com>,  Sxip Identity Corporation

                                                -- Mike

________________________________
From: Mike Jones
Sent: Friday, April 25, 2008 1:36 PM
To: specs at openid.net
Cc: David Recordon; Ben Laurie; Drummond Reed; John Bradley; Johnny Bufu
Subject: Proposal to create the PAPE working group

In accordance with the OpenID Foundation IPR policies and procedures<http://openid.net/foundation/intellectual-property/> this note proposes the formation of a new working group chartered to produce an OpenID specification.  As per Section 4.1 of the Policies, the specifics of the proposed working group are:

Proposal:
(a)  Charter.
                (i)  WG name:  Provider Authentication Policy Extension (PAPE)
                (ii)  Purpose:  Produce a standard OpenID extension to the OpenID Authentication protocol that:  provides a mechanism by which a Relying Party can request that particular authentication policies be applied by the OpenID Provider when authenticating an End User and provides a mechanism by which an OpenID Provider may inform a Relying Party which authentication policies were used. Thus a Relying Party can request that the End User authenticate, for example, using a phishing-resistant and/or multi-factor authentication method.
                (iii)  Scope:  Produce a revision of the PAPE 1.0 Draft 2 specification that clarifies its intent, while maintaining compatibility for existing Draft 2 implementations.  Adding any support for communicating requests for or the use of specific authentication methods (as opposed to authentication policies) is explicitly out of scope.
                (iv)  Proposed List of Specifications:  Provider Authentication Policy Extension 1.0, spec completion expected during May 2008.
                (v)  Anticipated audience or users of the work:  Implementers of OpenID Providers and Relying Parties ? especially those interested in mitigating the phishing vulnerabilities of logging into OpenID providers with passwords.
                (vi)  Language in which the WG will conduct business:  English.
                (vii)  Method of work:  E-mail discussions on the working group mailing list, working group conference calls, and possibly a face-to-face meeting at the Internet Identity Workshop.
                (viii)  Basis for determining when the work of the WG is completed:  Proposed changes to draft 2 will be evaluated on the basis of whether they increase or decrease consensus within the working group.  The work will be completed once it is apparent that maximal consensus on the draft has been achieved, consistent with the purpose and scope.
(b)  Background Information.
                (i)  Related work being done in other WGs or organizations:  (1) Assurance Levels as defined by the National Institute of Standards and Technology (NIST) in Special Publication 800-63 (Burr, W., Dodson, D., and W. Polk, Ed., ?Electronic Authentication Guideline,? April 2006.) [NIST_SP800?63].  This working group is needed to enable authentication policy statements to be exchanged by OpenID endpoints.  No coordination is needed with NIST, as the PAPE specification uses elements of the NIST specification in the intended fashion.
                (ii)  Proposers:
                                Michael B. Jones, mbj at microsoft.com<mailto:mbj at microsoft.com>, Microsoft Corporation
                                David Recordon, drecordon at sixapart.com<mailto:drecordon at sixapart.com>, Six Apart Corporation
                                Ben Laurie, benl at google.com<mailto:benl at google.com>, Google Corporation
                                Drummond Reed, drummond.reed at cordance.net<mailto:drummond.reed at cordance.net>, Cordance Corporation
                                John Bradley, john.bradley at wingaa.com<mailto:john.bradley at wingaa.com>, Wingaa Corporation
                                Johnny Bufu, johnny.bufu at gmail.com<mailto:johnny.bufu at gmail.com>, Independent
Editors:
                                Michael B. Jones, mbj at microsoft.com<mailto:mbj at microsoft.com>, Microsoft Corporation
                                David Recordon, drecordon at sixapart.com<mailto:drecordon at sixapart.com>, Six Apart Corporation
                (iii)  Anticipated Contributions:  None.

====

(The rest of this note is informational and not part of the proposal to create an OpenID working group.)

Given that the OpenID specification procedures call for votes of the membership, this would be a good time for those wanting to influence the outcome of this specification to join the OpenID Foundation.  You can do so at http://openid.net/foundation/join/.  Should you wish to join the working group, you will also need to execute the Contribution Agreement at http://openid.net/foundation/intellectual-property/ once the working group formation has been approved by the membership.  After the Specifications Council has responded to this request to create a working group (which must happen within 15 days) a separate message will be sent asking those of you who are OpenID members to vote on the working group creation, containing instructions for how to do so.

                                                                -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080426/bb1d4354/attachment-0001.htm 

From john at extremeswank.com  Wed Apr 30 14:16:55 2008
From: john at extremeswank.com (John Ehn)
Date: Wed, 30 Apr 2008 17:16:55 -0400
Subject: Correct AX Namespaces
Message-ID: <ce0d6bdf0804301416j16c1828bw39357957bd1c960e@mail.gmail.com>

OpenID Colleagues,

I (and a few other people) are rather confused about the current state of
Attribute Exchange, and the default namespace URIs.  Which of the following
will be the correct namespace root for the future?

http://schema.openid.net/
http://openid.net/schema/
http://axschema.org/

- MyOpenID supports http://schema.openid.net/

- The "Attribute Properties for OpenID Attribute Exchange" spec at
http://openid.net/specs calls out http://openid.net/schema/.  I don't know
if there are any OPs that implement this version.

- axschema.org calls out http://axschema.org/

They are all functionally equivalent, but it's up to the OpenID Provider to
decide which to implement.  As a result, the Relying Party has to guess
which providers are implementing which namespace roots.  Since the default
behavior is to simply ignore the AX request if the namespace is not
recognized, we cannot tell the difference between an OpenID Provider that
doesn't support AX, and one that simply doesn't support the requested
namespace.

In researching, I found the original request to use http://schema.openid.net,
which appeared to happen summer of 2007. Since http://axschema.org/ and
http://openid.net/schema came out after that, I'm assuming that it should no
longer be relevant.  However, MyOpenID implements this namespace, so I can't
say for sure if that's really the case.

That still leaves us with three namespace roots.  Can anyone tell me which
one is now considered the standard implementation, so I don't have to build
three Attribute Exchange schema definition sets into my codebase?

Thank you,

John Ehn
extremeswank.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080430/4625bb33/attachment.htm 

From dick at sxip.com  Wed Apr 30 16:23:50 2008
From: dick at sxip.com (Dick Hardt)
Date: Thu, 1 May 2008 11:23:50 +1200
Subject: Correct AX Namespaces
In-Reply-To: <ce0d6bdf0804301416j16c1828bw39357957bd1c960e@mail.gmail.com>
References: <ce0d6bdf0804301416j16c1828bw39357957bd1c960e@mail.gmail.com>
Message-ID: <866111CB-3051-488C-91DB-9DC795D81881@sxip.com>


On 1-May-08, at 9:16 AM, John Ehn wrote:

> OpenID Colleagues,
>
> I (and a few other people) are rather confused about the current  
> state of Attribute Exchange, and the default namespace URIs.  Which  
> of the following will be the correct namespace root for the future?
>
> http://schema.openid.net/
> http://openid.net/schema/
> http://axschema.org/
>
> - MyOpenID supports http://schema.openid.net/
>
> - The "Attribute Properties for OpenID Attribute Exchange" spec at http://openid.net/specs 
>  calls out http://openid.net/schema/.  I don't know if there are any  
> OPs that implement this version.

That is a boo-boo. I thought it had been fixed to NOT refer to a  
namespace.

>
> - axschema.org calls out http://axschema.org/

That is the namespace that we concluded to use on the list on the  
past. If people want, we can open up the discussion again. I agree the  
community needs to be clear on the namespace.

-- Dick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080501/0b7e5d0d/attachment.htm 

From john at extremeswank.com  Wed Apr 30 18:42:47 2008
From: john at extremeswank.com (John Ehn)
Date: Wed, 30 Apr 2008 21:42:47 -0400
Subject: Correct AX Namespaces
In-Reply-To: <866111CB-3051-488C-91DB-9DC795D81881@sxip.com>
References: <ce0d6bdf0804301416j16c1828bw39357957bd1c960e@mail.gmail.com>
	<866111CB-3051-488C-91DB-9DC795D81881@sxip.com>
Message-ID: <ce0d6bdf0804301842i363e3b83g86566c095b050410@mail.gmail.com>

Dick,

Thank you for the quick response.  I'll ensure axschema.org is the default,
then.
Thanks,

John Ehn
extremeswank.com


On Wed, Apr 30, 2008 at 7:23 PM, Dick Hardt <dick at sxip.com> wrote:

>
>  On 1-May-08, at 9:16 AM, John Ehn wrote:
>
>  OpenID Colleagues,
>
> I (and a few other people) are rather confused about the current state of
> Attribute Exchange, and the default namespace URIs.  Which of the following
> will be the correct namespace root for the future?
>
> http://schema.openid.net/
> http://openid.net/schema/
> http://axschema.org/
>
> - MyOpenID supports http://schema.openid.net/
>
> - The "Attribute Properties for OpenID Attribute Exchange" spec at
> http://openid.net/specs calls out http://openid.net/schema/.  I don't know
> if there are any OPs that implement this version.
>
>
> That is a boo-boo. I thought it had been fixed to NOT refer to a
> namespace.
>
>
> - axschema.org calls out http://axschema.org/
>
>
> That is the namespace that we concluded to use on the list on the past. If
> people want, we can open up the discussion again. I agree the community
> needs to be clear on the namespace.
>
> -- Dick
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20080430/2db5c7a2/attachment.htm 

From paulej at packetizer.com  Wed Apr  2 02:30:33 2008
From: paulej at packetizer.com (Paul E. Jones)
Date: Tue, 1 Apr 2008 22:30:33 -0400
Subject: Using email address as OpenID identifier
Message-ID: <03d401c89469$86c56720$94503560$@com>

Folks,

 

I've seen discussion here and there on the use of the e-mail address as the
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable
by the average person, we cannot require the person to remember some very
complex identifier.  When I signed up for Yahoo's OpenID service, it
presented me with a hideously ugly URL that looked similar to a
base64-encoded string.  I could not begin to tell you what it was.
Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
ID is not one that the average user will remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly
serve as an alias.  Suppose, for example, that the DNS records at Yahoo
contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 "U" "OpenID2"
"^(.+)@(.*)$!https://me.yahoo.com/\1!i"

 

This would allow a Relaying Party to accept an e-mail address and perform a
simple transformation to get the "real" URL identifier.  Of course, this
does not mean that the existing URL or XRI identifiers are invalid, nor does
it mean that the "email address" has to be a real e-mail address.  But, this
form would certainly be far simpler for most people to deal use.

 

If something like this has been discussed and rejected, what was the reason?

 

Thanks,

Paul

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080401/cce01fc0/attachment-0002.htm>

From brad at danga.com  Wed Apr  2 02:37:31 2008
From: brad at danga.com (Brad Fitzpatrick)
Date: Tue, 1 Apr 2008 19:37:31 -0700
Subject: Using email address as OpenID identifier
In-Reply-To: <03d401c89469$86c56720$94503560$@com>
References: <03d401c89469$86c56720$94503560$@com>
Message-ID: <1076e6c00804011937n6a2610b3h4dc64b1ae3a109c@mail.gmail.com>

This has been discussed to death and really should be a FAQ by now, but it's
not written up, so I'll add a few points:

-- we should discuss this as a generic email to URL mapping problem, and
ignore what is done with that URL then.  yes, it could be used as an OpenID

-- that said, with directed identity in OpenID 2.0, a user just needs to
type in "yahoo.com", or press the pretty yahoo button.  No typing.

-- For email-to-URL, NAPTR by itself is a non-starter.  Technically it may
be the correct way, but average people don't control their DNS.  Hell,
networksolutions doesn't even let you add SRV or TXT records.

-- A good solution to email-to-URL mapping will likely involve an
XRDS-Simple-style two-pronged discovery lookup path.  Whereas XRDS-Simple
says "try Accept header, then parse the <head> tag", a good email-to-URL
lookup "protocol" (best practice?) might be to try NAPTR first, then fall
back to this:

http://brad.livejournal.com/2357444.html

- Brad

2008/4/1 Paul E. Jones <paulej at packetizer.com>:

>  Folks,
>
>
>
> I've seen discussion here and there on the use of the e-mail address as
> the OpenID identifier.  Perhaps this one says it best:
>
> http://www.majordojo.com/2007/02/what-openid-needs.php
>
>
>
> I share many of same opinions.  If OpenID is going to be practically
> usable by the average person, we cannot require the person to remember some
> very complex identifier.  When I signed up for Yahoo's OpenID service, it
> presented me with a hideously ugly URL that looked similar to a
> base64-encoded string.  I could not begin to tell you what it was.
> Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
> ID is not one that the average user will remember or get right.
>
>
>
> While the e-mail address does not have to be the one's ID, it can
> certainly serve as an alias.  Suppose, for example, that the DNS records at
> Yahoo contained the following entry:
>
>
>
>   yahoo.com. IN NAPTR 100 10 "U" "OpenID2"
> "^(.+)@(.*)$!https://me.yahoo.com/\1!i"
>
>
>
> This would allow a Relaying Party to accept an e-mail address and perform
> a simple transformation to get the "real" URL identifier.  Of course, this
> does not mean that the existing URL or XRI identifiers are invalid, nor does
> it mean that the "email address" has to be a real e-mail address.  But, this
> form would certainly be far simpler for most people to deal use.
>
>
>
> If something like this has been discussed and rejected, what was the
> reason?
>
>
>
> Thanks,
>
> Paul
>
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080401/ad96be1b/attachment-0002.htm>

From eran at hueniverse.com  Wed Apr  2 02:42:52 2008
From: eran at hueniverse.com (Eran Hammer-Lahav)
Date: Tue, 1 Apr 2008 22:42:52 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <03d401c89469$86c56720$94503560$@com>
References: <03d401c89469$86c56720$94503560$@com>
Message-ID: <1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>

The beauty of the current OpenID spec is that anyone can implement it and go live. However, with email identifiers you need email providers to support it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a feature, I am sure the others are likely to follow. Get 2 of these 4 and you've got something going. But the biggest issue is not picking a standard but finding a company willing to put something out there.

As for the technical solutions, there are many from DNS to XRDS to a simple template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not an OpenID issue, but a non-HTTP URI --> HTTP URI conversation. Basically if you had a generic way of moving from mailto:user at example.com to http://example.com/url/user (or any other URI with HTTP, the domain, and the user), any URI can be used for OpenID.

But at the end this is about someone of a major email provider saying they are interested and put out something people can use. After that I expect the snowball to roll. So, do you know anyone? :)

EHL

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf Of Paul E. Jones
Sent: Tuesday, April 01, 2008 10:31 PM
To: specs at openid.net
Subject: Using email address as OpenID identifier

Folks,

I've seen discussion here and there on the use of the e-mail address as the OpenID identifier.  Perhaps this one says it best:
http://www.majordojo.com/2007/02/what-openid-needs.php

I share many of same opinions.  If OpenID is going to be practically usable by the average person, we cannot require the person to remember some very complex identifier.  When I signed up for Yahoo's OpenID service, it presented me with a hideously ugly URL that looked similar to a base64-encoded string.  I could not begin to tell you what it was.  Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the ID is not one that the average user will remember or get right.

While the e-mail address does not have to be the one's ID, it can certainly serve as an alias.  Suppose, for example, that the DNS records at Yahoo contained the following entry:

  yahoo.com. IN NAPTR 100 10 "U" "OpenID2" "^(.+)@(.*)$!https://me.yahoo.com/\1!i"

This would allow a Relaying Party to accept an e-mail address and perform a simple transformation to get the "real" URL identifier.  Of course, this does not mean that the existing URL or XRI identifiers are invalid, nor does it mean that the "email address" has to be a real e-mail address.  But, this form would certainly be far simpler for most people to deal use.

If something like this has been discussed and rejected, what was the reason?

Thanks,
Paul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080401/0293a8d1/attachment-0002.htm>

From paulej at packetizer.com  Wed Apr  2 03:42:08 2008
From: paulej at packetizer.com (Paul E. Jones)
Date: Tue, 1 Apr 2008 23:42:08 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>
References: <03d401c89469$86c56720$94503560$@com>
	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>
Message-ID: <040c01c89473$8716fe00$9544fa00$@com>

Eran,

 

You're entirely correct that this is not an OpenID issue, per se.  In fact,
not a single word of text would need to be changed in the current v2 specs,
as far as I'm concerned.

 

But, I do think that it will take some of the core OpenID team members to
put a stake in the ground and say, "this is the convention that we'll
follow."  What needs to happen then is perhaps an extension written that
explains how to convert an email address to a URL.  Using NAPTR records
seems like the simplest way to do it to me, but I'm open to suggestions.

 

Perhaps it is important to say, though, that I do not think it requires the
e-mail providers to get on board with this (in my view) simpler notation.  I
could use an ID like paulej at myopenid.com and that should work, if
myopenid.com would publish the appropriate NAPTR record.  I could also
insert NAPTR records into the packetizer.com DNS server that would allow me
to use my email address, but point at my preferred OpenID provider.  In
short, just because the user at domain syntax is used does not mean that it
necessarily an e-mail address: it could be, but more importantly, it just
follows that familiar format documented in RFC 822.

 

Paul

 

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Eran Hammer-Lahav
Sent: Tuesday, April 01, 2008 10:43 PM
To: specs at openid.net
Subject: RE: Using email address as OpenID identifier

 

The beauty of the current OpenID spec is that anyone can implement it and go
live. However, with email identifiers you need email providers to support
it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a
feature, I am sure the others are likely to follow. Get 2 of these 4 and
you've got something going. But the biggest issue is not picking a standard
but finding a company willing to put something out there.

 

As for the technical solutions, there are many from DNS to XRDS to a simple
template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not
an OpenID issue, but a non-HTTP URI --> HTTP URI conversation. Basically if
you had a generic way of moving from mailto:user at example.com to
http://example.com/url/user (or any other URI with HTTP, the domain, and the
user), any URI can be used for OpenID.

 

But at the end this is about someone of a major email provider saying they
are interested and put out something people can use. After that I expect the
snowball to roll. So, do you know anyone? J

 

EHL

 

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Paul E. Jones
Sent: Tuesday, April 01, 2008 10:31 PM
To: specs at openid.net
Subject: Using email address as OpenID identifier

 

Folks,

 

I've seen discussion here and there on the use of the e-mail address as the
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable
by the average person, we cannot require the person to remember some very
complex identifier.  When I signed up for Yahoo's OpenID service, it
presented me with a hideously ugly URL that looked similar to a
base64-encoded string.  I could not begin to tell you what it was.
Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
ID is not one that the average user will remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly
serve as an alias.  Suppose, for example, that the DNS records at Yahoo
contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 "U" "OpenID2"
"^(.+)@(.*)$!https://me.yahoo.com/\1!i"

 

This would allow a Relaying Party to accept an e-mail address and perform a
simple transformation to get the "real" URL identifier.  Of course, this
does not mean that the existing URL or XRI identifiers are invalid, nor does
it mean that the "email address" has to be a real e-mail address.  But, this
form would certainly be far simpler for most people to deal use.

 

If something like this has been discussed and rejected, what was the reason?

 

Thanks,

Paul

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080401/92901ec2/attachment-0002.htm>

From dick at sxip.com  Wed Apr  2 03:44:35 2008
From: dick at sxip.com (Dick Hardt)
Date: Tue, 1 Apr 2008 20:44:35 -0700
Subject: Using email address as OpenID identifier
In-Reply-To: <1076e6c00804011937n6a2610b3h4dc64b1ae3a109c@mail.gmail.com>
References: <03d401c89469$86c56720$94503560$@com>
	<1076e6c00804011937n6a2610b3h4dc64b1ae3a109c@mail.gmail.com>
Message-ID: <8A363AC7-1696-40C7-B60A-CAEFB0D2DA72@sxip.com>


On 1-Apr-08, at 7:37 PM, Brad Fitzpatrick wrote:
>
> -- that said, with directed identity in OpenID 2.0, a user just  
> needs to type in "yahoo.com", or press the pretty yahoo button.  No  
> typing.

I think this is why we don't need to use emails. People are very  
familiar with typing in a URL in the address bar. The experience of  
entering an URL and then being on that page is also really familiar.  
This is of course what happens when you type the OP into the OpenID  
prompt.

Sorry for not being the least bit supportive of the email as  
identifier idea -- there are just so many things that are bad about it  
and the good reason (an identifier they already know) is provided per  
above with the advantage of giving an expected experience.

I agree with Brad that we need to write a FAQ on this.

-- Dick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080401/c7503ba2/attachment-0002.htm>

From eran at hueniverse.com  Wed Apr  2 04:17:24 2008
From: eran at hueniverse.com (Eran Hammer-Lahav)
Date: Wed, 2 Apr 2008 00:17:24 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <040c01c89473$8716fe00$9544fa00$@com>
References: <03d401c89469$86c56720$94503560$@com>
	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>
	<040c01c89473$8716fe00$9544fa00$@com>
Message-ID: <1CF0CFAED429364597531B94A3D5905C0FA1FC5BDA@manhattan.hueniverse.net>

Take a look at http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html - especially the list of other solutions proposed before me, as well as Brad's proposal.

The thing is, you need the @gmail, @hotmail, @msn, @yahoo, @aol to support this DNS, and they *are* the email providers.

EHL

From: Paul E. Jones [mailto:paulej at packetizer.com]
Sent: Tuesday, April 01, 2008 11:42 PM
To: Eran Hammer-Lahav; specs at openid.net
Subject: RE: Using email address as OpenID identifier

Eran,

You're entirely correct that this is not an OpenID issue, per se.  In fact, not a single word of text would need to be changed in the current v2 specs, as far as I'm concerned.

But, I do think that it will take some of the core OpenID team members to put a stake in the ground and say, "this is the convention that we'll follow."  What needs to happen then is perhaps an extension written that explains how to convert an email address to a URL.  Using NAPTR records seems like the simplest way to do it to me, but I'm open to suggestions.

Perhaps it is important to say, though, that I do not think it requires the e-mail providers to get on board with this (in my view) simpler notation.  I could use an ID like paulej at myopenid.com and that should work, if myopenid.com would publish the appropriate NAPTR record.  I could also insert NAPTR records into the packetizer.com DNS server that would allow me to use my email address, but point at my preferred OpenID provider.  In short, just because the user at domain syntax is used does not mean that it necessarily an e-mail address: it could be, but more importantly, it just follows that familiar format documented in RFC 822.

Paul

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf Of Eran Hammer-Lahav
Sent: Tuesday, April 01, 2008 10:43 PM
To: specs at openid.net
Subject: RE: Using email address as OpenID identifier

The beauty of the current OpenID spec is that anyone can implement it and go live. However, with email identifiers you need email providers to support it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a feature, I am sure the others are likely to follow. Get 2 of these 4 and you've got something going. But the biggest issue is not picking a standard but finding a company willing to put something out there.

As for the technical solutions, there are many from DNS to XRDS to a simple template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not an OpenID issue, but a non-HTTP URI --> HTTP URI conversation. Basically if you had a generic way of moving from mailto:user at example.com to http://example.com/url/user (or any other URI with HTTP, the domain, and the user), any URI can be used for OpenID.

But at the end this is about someone of a major email provider saying they are interested and put out something people can use. After that I expect the snowball to roll. So, do you know anyone? :)

EHL

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf Of Paul E. Jones
Sent: Tuesday, April 01, 2008 10:31 PM
To: specs at openid.net
Subject: Using email address as OpenID identifier

Folks,

I've seen discussion here and there on the use of the e-mail address as the OpenID identifier.  Perhaps this one says it best:
http://www.majordojo.com/2007/02/what-openid-needs.php

I share many of same opinions.  If OpenID is going to be practically usable by the average person, we cannot require the person to remember some very complex identifier.  When I signed up for Yahoo's OpenID service, it presented me with a hideously ugly URL that looked similar to a base64-encoded string.  I could not begin to tell you what it was.  Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the ID is not one that the average user will remember or get right.

While the e-mail address does not have to be the one's ID, it can certainly serve as an alias.  Suppose, for example, that the DNS records at Yahoo contained the following entry:

  yahoo.com. IN NAPTR 100 10 "U" "OpenID2" "^(.+)@(.*)$!https://me.yahoo.com/\1!i"

This would allow a Relaying Party to accept an e-mail address and perform a simple transformation to get the "real" URL identifier.  Of course, this does not mean that the existing URL or XRI identifiers are invalid, nor does it mean that the "email address" has to be a real e-mail address.  But, this form would certainly be far simpler for most people to deal use.

If something like this has been discussed and rejected, what was the reason?

Thanks,
Paul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080402/1afa04c6/attachment-0002.htm>

From james at jamesh.id.au  Wed Apr  2 04:30:09 2008
From: james at jamesh.id.au (James Henstridge)
Date: Wed, 2 Apr 2008 12:30:09 +0800
Subject: Using email address as OpenID identifier
In-Reply-To: <03d401c89469$86c56720$94503560$@com>
References: <03d401c89469$86c56720$94503560$@com>
Message-ID: <a7e835d40804012130g18bd7a63gc528b38f014f39f9@mail.gmail.com>

On 02/04/2008, Paul E. Jones <paulej at packetizer.com> wrote:
> Folks,
>
> I've seen discussion here and there on the use of the e-mail address as the
> OpenID identifier.  Perhaps this one says it best:
>
> http://www.majordojo.com/2007/02/what-openid-needs.php
>
> I share many of same opinions.  If OpenID is going to be practically usable
> by the average person, we cannot require the person to remember some very
> complex identifier.  When I signed up for Yahoo's OpenID service, it
> presented me with a hideously ugly URL that looked similar to a
> base64-encoded string.  I could not begin to tell you what it was.
> Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
> ID is not one that the average user will remember or get right.
>
> While the e-mail address does not have to be the one's ID, it can certainly
> serve as an alias.  Suppose, for example, that the DNS records at Yahoo
> contained the following entry:
>
>   yahoo.com. IN NAPTR 100 10 "U" "OpenID2"
> "^(.+)@(.*)$!https://me.yahoo.com/\1!i"
>
> This would allow a Relaying Party to accept an e-mail address and perform a
> simple transformation to get the "real" URL identifier.  Of course, this
> does not mean that the existing URL or XRI identifiers are invalid, nor does
> it mean that the "email address" has to be a real e-mail address.  But, this
> form would certainly be far simpler for most people to deal use.

If your aim is to let people use an email address as an identifier,
there are a few questions to answer:

1. when a user enters an email address into an RP, how is the claimed
ID derived from that input?

2. given such an input, how does the RP go about discovering the
OpenID endpoint URL and local ID for that identity?

With answers to these two questions, the remainder of the protocol
should function as is.

I'm guessing (correct me if I'm wrong) that you're suggesting that
this DNS lookup be done as part of (1).  This seems like it would
cause confusion if the user's ISP changed their DNS, since the user
would see their email address as being the real identifier: not the
URL that it maps to.

A solution that matches closer with what the user expects would be to
map "fred at example.com" to a claimed ID of "mailto:fred at example.com".

For (2), I'd suggest a solution that maps the email address to either
directly to an OpenID endpoint (using the claimed ID as local ID), or
to an XRDS file.  A DNS based solution seems fine here (either your
NAPTR idea, or TXT records as suggested in replies to your post).

James.


From paulej at packetizer.com  Wed Apr  2 04:52:34 2008
From: paulej at packetizer.com (Paul E. Jones)
Date: Wed, 2 Apr 2008 00:52:34 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <1076e6c00804011937n6a2610b3h4dc64b1ae3a109c@mail.gmail.com>
References: <03d401c89469$86c56720$94503560$@com>
	<1076e6c00804011937n6a2610b3h4dc64b1ae3a109c@mail.gmail.com>
Message-ID: <042601c8947d$5e23da90$1a6b8fb0$@com>

Brad,

 

Your point about DNS limitations is valid.  Then again, anybody who will be offering the open identity server is likely going to have control over their DNS.  Still, I?m not opposed to alternatives.

 

But, since you brought up the fact that one can enter yahoo.com and get redirected, I checked and, indeed, several OpenID sites already accept the e-mail ID as a form of identification?and I can get redirected to either Yahoo or MyOpenID.com.  So, do some of the libraries already check for e-mail address forms?  It seems that perhaps they do!

 

Paul

 

 

From: brad at fitzpat.com [mailto:brad at fitzpat.com] On Behalf Of Brad Fitzpatrick
Sent: Tuesday, April 01, 2008 10:38 PM
To: Paul E. Jones
Cc: specs at openid.net
Subject: Re: Using email address as OpenID identifier

 

This has been discussed to death and really should be a FAQ by now, but it's not written up, so I'll add a few points:

-- we should discuss this as a generic email to URL mapping problem, and ignore what is done with that URL then.  yes, it could be used as an OpenID

-- that said, with directed identity in OpenID 2.0, a user just needs to type in "yahoo.com", or press the pretty yahoo button.  No typing.

-- For email-to-URL, NAPTR by itself is a non-starter.  Technically it may be the correct way, but average people don't control their DNS.  Hell, networksolutions doesn't even let you add SRV or TXT records.

-- A good solution to email-to-URL mapping will likely involve an XRDS-Simple-style two-pronged discovery lookup path.  Whereas XRDS-Simple says "try Accept header, then parse the <head> tag", a good email-to-URL lookup "protocol" (best practice?) might be to try NAPTR first, then fall back to this:

http://brad.livejournal.com/2357444.html

- Brad

2008/4/1 Paul E. Jones <paulej at packetizer.com>:

Folks,

 

I've seen discussion here and there on the use of the e-mail address as the OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable by the average person, we cannot require the person to remember some very complex identifier.  When I signed up for Yahoo's OpenID service, it presented me with a hideously ugly URL that looked similar to a base64-encoded string.  I could not begin to tell you what it was.  Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the ID is not one that the average user will remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly serve as an alias.  Suppose, for example, that the DNS records at Yahoo contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 "U" "OpenID2" "^(.+)@(.*)$!https://me.yahoo.com/\1!i"

 

This would allow a Relaying Party to accept an e-mail address and perform a simple transformation to get the "real" URL identifier.  Of course, this does not mean that the existing URL or XRI identifiers are invalid, nor does it mean that the "email address" has to be a real e-mail address.  But, this form would certainly be far simpler for most people to deal use.

 

If something like this has been discussed and rejected, what was the reason?

 

Thanks,

Paul

 


_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080402/a702ac98/attachment-0002.htm>

From paulej at packetizer.com  Wed Apr  2 05:02:15 2008
From: paulej at packetizer.com (Paul E. Jones)
Date: Wed, 2 Apr 2008 01:02:15 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <8A363AC7-1696-40C7-B60A-CAEFB0D2DA72@sxip.com>
References: <03d401c89469$86c56720$94503560$@com>
	<1076e6c00804011937n6a2610b3h4dc64b1ae3a109c@mail.gmail.com>
	<8A363AC7-1696-40C7-B60A-CAEFB0D2DA72@sxip.com>
Message-ID: <043401c8947e$b8575360$2905fa20$@com>

Dick,

 

On this point, I really have to disagree.  Even I rarely enter a URL into a
web browser. Why bother when I know the web browser will figure it out for
me.  I don't want to type http:// or https:// :-)

 

More importantly, you and I are different than the average users.  I've
watched people struggle with getting addresses properly entered.  I've
watched people put "www" in front of every name entered into a web browser,
even when the site might be something else.  I've watched users enter \\
rather than //.  I've even no slash at all.

 

So, what I think is important is that users have something simple and
consistent.  As I noted to my message to Brad just a moment ago, it appears
that some sites will accept the e-mail address form and then figure out
where to direct the user.   I was pleasantly surprised.

 

Given that at least some of the sites out there now do operate this way, I
suspect it might just be a matter of time before all of them do.  But, I
think it's important that the user experience is consistent, as you say.  If
email IDs are going to be supported by some, through ought to be supported
by all - even if they do nothing but figure out which OP to direct the
browser to.

 

Paul

 

From: Dick Hardt [mailto:dick at sxip.com] 
Sent: Tuesday, April 01, 2008 11:45 PM
To: Brad Fitzpatrick
Cc: Paul E. Jones; specs at openid.net
Subject: Re: Using email address as OpenID identifier

 

 

On 1-Apr-08, at 7:37 PM, Brad Fitzpatrick wrote:


-- that said, with directed identity in OpenID 2.0, a user just needs to
type in "yahoo.com", or press the pretty yahoo button.  No typing.

 

I think this is why we don't need to use emails. People are very familiar
with typing in a URL in the address bar. The experience of entering an URL
and then being on that page is also really familiar. This is of course what
happens when you type the OP into the OpenID prompt.

 

Sorry for not being the least bit supportive of the email as identifier idea
-- there are just so many things that are bad about it and the good reason
(an identifier they already know) is provided per above with the advantage
of giving an expected experience.

 

I agree with Brad that we need to write a FAQ on this.

 

-- Dick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080402/6e2fc28e/attachment-0002.htm>

From paulej at packetizer.com  Wed Apr  2 05:05:09 2008
From: paulej at packetizer.com (Paul E. Jones)
Date: Wed, 2 Apr 2008 01:05:09 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <1CF0CFAED429364597531B94A3D5905C0FA1FC5BDA@manhattan.hueniverse.net>
References: <03d401c89469$86c56720$94503560$@com>	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>	<040c01c89473$8716fe00$9544fa00$@com>
	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BDA@manhattan.hueniverse.net>
Message-ID: <045701c8947f$1fe3cf40$5fab6dc0$@com>

Eran,

 

I'm not suggesting that the address must be a real e-mail address.  I'm
suggesting that the ID has that form.  It's easier for users than entering
https://me.yahoo.com/userid.  If it happens to also be one's real e-mail
address, fine.  That would be a plus for me, but I don't see that as a
requirement.

 

Paul

 

 

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Eran Hammer-Lahav
Sent: Wednesday, April 02, 2008 12:17 AM
To: specs at openid.net
Subject: RE: Using email address as OpenID identifier

 

Take a look at
http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html -
especially the list of other solutions proposed before me, as well as Brad's
proposal.

 

The thing is, you need the @gmail, @hotmail, @msn, @yahoo, @aol to support
this DNS, and they *are* the email providers.

 

EHL

 

From: Paul E. Jones [mailto:paulej at packetizer.com] 
Sent: Tuesday, April 01, 2008 11:42 PM
To: Eran Hammer-Lahav; specs at openid.net
Subject: RE: Using email address as OpenID identifier

 

Eran,

 

You're entirely correct that this is not an OpenID issue, per se.  In fact,
not a single word of text would need to be changed in the current v2 specs,
as far as I'm concerned.

 

But, I do think that it will take some of the core OpenID team members to
put a stake in the ground and say, "this is the convention that we'll
follow."  What needs to happen then is perhaps an extension written that
explains how to convert an email address to a URL.  Using NAPTR records
seems like the simplest way to do it to me, but I'm open to suggestions.

 

Perhaps it is important to say, though, that I do not think it requires the
e-mail providers to get on board with this (in my view) simpler notation.  I
could use an ID like paulej at myopenid.com and that should work, if
myopenid.com would publish the appropriate NAPTR record.  I could also
insert NAPTR records into the packetizer.com DNS server that would allow me
to use my email address, but point at my preferred OpenID provider.  In
short, just because the user at domain syntax is used does not mean that it
necessarily an e-mail address: it could be, but more importantly, it just
follows that familiar format documented in RFC 822.

 

Paul

 

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Eran Hammer-Lahav
Sent: Tuesday, April 01, 2008 10:43 PM
To: specs at openid.net
Subject: RE: Using email address as OpenID identifier

 

The beauty of the current OpenID spec is that anyone can implement it and go
live. However, with email identifiers you need email providers to support
it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a
feature, I am sure the others are likely to follow. Get 2 of these 4 and
you've got something going. But the biggest issue is not picking a standard
but finding a company willing to put something out there.

 

As for the technical solutions, there are many from DNS to XRDS to a simple
template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not
an OpenID issue, but a non-HTTP URI --> HTTP URI conversation. Basically if
you had a generic way of moving from mailto:user at example.com to
http://example.com/url/user (or any other URI with HTTP, the domain, and the
user), any URI can be used for OpenID.

 

But at the end this is about someone of a major email provider saying they
are interested and put out something people can use. After that I expect the
snowball to roll. So, do you know anyone? J

 

EHL

 

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Paul E. Jones
Sent: Tuesday, April 01, 2008 10:31 PM
To: specs at openid.net
Subject: Using email address as OpenID identifier

 

Folks,

 

I've seen discussion here and there on the use of the e-mail address as the
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable
by the average person, we cannot require the person to remember some very
complex identifier.  When I signed up for Yahoo's OpenID service, it
presented me with a hideously ugly URL that looked similar to a
base64-encoded string.  I could not begin to tell you what it was.
Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
ID is not one that the average user will remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly
serve as an alias.  Suppose, for example, that the DNS records at Yahoo
contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 "U" "OpenID2"
"^(.+)@(.*)$!https://me.yahoo.com/\1!i"

 

This would allow a Relaying Party to accept an e-mail address and perform a
simple transformation to get the "real" URL identifier.  Of course, this
does not mean that the existing URL or XRI identifiers are invalid, nor does
it mean that the "email address" has to be a real e-mail address.  But, this
form would certainly be far simpler for most people to deal use.

 

If something like this has been discussed and rejected, what was the reason?

 

Thanks,

Paul

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080402/72ec2eb9/attachment-0002.htm>

From dick at sxip.com  Wed Apr  2 05:09:21 2008
From: dick at sxip.com (Dick Hardt)
Date: Tue, 1 Apr 2008 22:09:21 -0700
Subject: Using email address as OpenID identifier
In-Reply-To: <045701c8947f$1fe3cf40$5fab6dc0$@com>
References: <03d401c89469$86c56720$94503560$@com>	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>	<040c01c89473$8716fe00$9544fa00$@com>
	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BDA@manhattan.hueniverse.net>
	<045701c8947f$1fe3cf40$5fab6dc0$@com>
Message-ID: <4DB698D1-C2C6-41AA-8F34-2C78523C4B3A@sxip.com>

Entering yahoo.com is even easier!

On 1-Apr-08, at 10:05 PM, Paul E. Jones wrote:

> Eran,
>
> I?m not suggesting that the address must be a real e-mail address.   
> I?m suggesting that the ID has that form.  It?s easier for users  
> than enteringhttps://me.yahoo.com/userid.  If it happens to also be  
> one?s real e-mail address, fine.  That would be a plus for me, but I  
> don?t see that as a requirement.
>
> Paul
>
>
> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On  
> Behalf Of Eran Hammer-Lahav
> Sent: Wednesday, April 02, 2008 12:17 AM
> To: specs at openid.net
> Subject: RE: Using email address as OpenID identifier
>
> Take a look at http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html 
>  - especially the list of other solutions proposed before me, as  
> well as Brad?s proposal.
>
> The thing is, you need the @gmail, @hotmail, @msn, @yahoo, @aol to  
> support this DNS, and they *are* the email providers.
>
> EHL
>
> From: Paul E. Jones [mailto:paulej at packetizer.com]
> Sent: Tuesday, April 01, 2008 11:42 PM
> To: Eran Hammer-Lahav; specs at openid.net
> Subject: RE: Using email address as OpenID identifier
>
> Eran,
>
> You?re entirely correct that this is not an OpenID issue, per se.   
> In fact, not a single word of text would need to be changed in the  
> current v2 specs, as far as I?m concerned.
>
> But, I do think that it will take some of the core OpenID team  
> members to put a stake in the ground and say, ?this is the  
> convention that we?ll follow.?  What needs to happen then is perhaps  
> an extension written that explains how to convert an email address  
> to a URL.  Using NAPTR records seems like the simplest way to do it  
> to me, but I?m open to suggestions.
>
> Perhaps it is important to say, though, that I do not think it  
> requires the e-mail providers to get on board with this (in my view)  
> simpler notation.  I could use an ID like paulej at myopenid.com and  
> that should work, if myopenid.com would publish the appropriate  
> NAPTR record.  I could also insert NAPTR records into the  
> packetizer.com DNS server that would allow me to use my email  
> address, but point at my preferred OpenID provider.  In short, just  
> because the user at domain syntax is used does not mean that it  
> necessarily an e-mail address: it could be, but more importantly, it  
> just follows that familiar format documented in RFC 822.
>
> Paul
>
> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On  
> Behalf Of Eran Hammer-Lahav
> Sent: Tuesday, April 01, 2008 10:43 PM
> To: specs at openid.net
> Subject: RE: Using email address as OpenID identifier
>
> The beauty of the current OpenID spec is that anyone can implement  
> it and go live. However, with email identifiers you need email  
> providers to support it. If Google, Yahoo, AOL, or Microsoft  
> announced they are adding such a feature, I am sure the others are  
> likely to follow. Get 2 of these 4 and you?ve got something going.  
> But the biggest issue is not picking a standard but finding a  
> company willing to put something out there.
>
> As for the technical solutions, there are many from DNS to XRDS to a  
> simple template agreed by all. Brad Fitzpatrick argued at FooCamp  
> that this is not an OpenID issue, but a non-HTTP URI --> HTTP URI  
> conversation. Basically if you had a generic way of moving  
> frommailto:user at example.com to http://example.com/url/user (or any  
> other URI with HTTP, the domain, and the user), any URI can be used  
> for OpenID.
>
> But at the end this is about someone of a major email provider  
> saying they are interested and put out something people can use.  
> After that I expect the snowball to roll. So, do you know anyone? J
>
> EHL
>
> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On  
> Behalf Of Paul E. Jones
> Sent: Tuesday, April 01, 2008 10:31 PM
> To: specs at openid.net
> Subject: Using email address as OpenID identifier
>
> Folks,
>
> I?ve seen discussion here and there on the use of the e-mail address  
> as the OpenID identifier.  Perhaps this one says it best:
> http://www.majordojo.com/2007/02/what-openid-needs.php
>
> I share many of same opinions.  If OpenID is going to be practically  
> usable by the average person, we cannot require the person to  
> remember some very complex identifier.  When I signed up for Yahoo?s  
> OpenID service, it presented me with a hideously ugly URL that  
> looked similar to a base64-encoded string.  I could not begin to  
> tell you what it was.  Fortunately, Yahoo allowed me to define my  
> own, friendlier name.  Still, the ID is not one that the average  
> user will remember or get right.
>
> While the e-mail address does not have to be the one?s ID, it can  
> certainly serve as an alias.  Suppose, for example, that the DNS  
> records at Yahoo contained the following entry:
>
>   yahoo.com. IN NAPTR 100 10 "U" "OpenID2" "^(.+)@(.*)$!https://me.yahoo.com/ 
> \1!i"
>
> This would allow a Relaying Party to accept an e-mail address and  
> perform a simple transformation to get the ?real? URL identifier.   
> Of course, this does not mean that the existing URL or XRI  
> identifiers are invalid, nor does it mean that the ?email address?  
> has to be a real e-mail address.  But, this form would certainly be  
> far simpler for most people to deal use.
>
> If something like this has been discussed and rejected, what was the  
> reason?
>
> Thanks,
> Paul
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080401/263af70d/attachment-0002.htm>

From paulej at packetizer.com  Wed Apr  2 05:16:41 2008
From: paulej at packetizer.com (Paul E. Jones)
Date: Wed, 2 Apr 2008 01:16:41 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <a7e835d40804012130g18bd7a63gc528b38f014f39f9@mail.gmail.com>
References: <03d401c89469$86c56720$94503560$@com>
	<a7e835d40804012130g18bd7a63gc528b38f014f39f9@mail.gmail.com>
Message-ID: <046e01c89480$bc19eec0$344dcc40$@com>

James,

>>yahoo.com. IN NAPTR 100 10 "U" "OpenID2"
"^(.+)@(.*)$!https://me.yahoo.com/\1!i" .
>
>
> 1. when a user enters an email address into an RP, how is the claimed
> ID derived from that input?

Using the NAPTR record as shown above, if I user paulej at yahoo.com, the RP
could perform a translation to https://me.yahoo.com/paulej
 
> 2. given such an input, how does the RP go about discovering the
> OpenID endpoint URL and local ID for that identity?
> 
> With answers to these two questions, the remainder of the protocol
> should function as is.

At this point, the RP would have the "real" OpenID ID for the user.
Everything else would proceed as normal.
 
> I'm guessing (correct me if I'm wrong) that you're suggesting that
> this DNS lookup be done as part of (1).  This seems like it would
> cause confusion if the user's ISP changed their DNS, since the user
> would see their email address as being the real identifier: not the
> URL that it maps to.

Yes, that could be an issue.  However, I would expect users would use an
identifier from a OP that *looks like* an e-mail address.  They would not
necessarily use their real address.  For example, I don't use Yahoo mail,
but I would enter paulej at yahoo.com as my OpenID ID.

> A solution that matches closer with what the user expects would be to
> map "fred at example.com" to a claimed ID of "mailto:fred at example.com".

The average user is not going to know what "mailto:" is.
 
> For (2), I'd suggest a solution that maps the email address to either
> directly to an OpenID endpoint (using the claimed ID as local ID), or
> to an XRDS file.  A DNS based solution seems fine here (either your
> NAPTR idea, or TXT records as suggested in replies to your post).

NAPTR queries and transformations are straight-forward.  It's just a regular
expression transformation from something that looks like an e-mail address
to the real OpenID ID.

But, again, I don't really care how it works. But, for the benefit of those
who are not so technically capable, I believe it's got to be super, super
trivial.  NAPTR would work extremely well, I think, and would be fast.  Any
OpenID OP could provide an e-mail style identifier and it would certainly be
a motivator for anybody providing e-mail service to also OpenID enable their
subscriber's e-mail addresses.

Paul




From dick at sxip.com  Wed Apr  2 05:27:32 2008
From: dick at sxip.com (Dick Hardt)
Date: Tue, 1 Apr 2008 22:27:32 -0700
Subject: Using email address as OpenID identifier
In-Reply-To: <043401c8947e$b8575360$2905fa20$@com>
References: <03d401c89469$86c56720$94503560$@com>
	<1076e6c00804011937n6a2610b3h4dc64b1ae3a109c@mail.gmail.com>
	<8A363AC7-1696-40C7-B60A-CAEFB0D2DA72@sxip.com>
	<043401c8947e$b8575360$2905fa20$@com>
Message-ID: <392B14ED-F0D8-4705-8BFD-21471F8801E0@sxip.com>


On 1-Apr-08, at 10:02 PM, Paul E. Jones wrote:

> Dick,
>
> On this point, I really have to disagree.  Even I rarely enter a URL  
> into a web browser. Why bother when I know the web browser will  
> figure it out for me.  I don?t want to type http:// or https:// :-)

I don't want to type the protocol either. I should have been more  
clear, the user types yahoo.com or aol.com into the prompt. Since this  
is NOT the identifier (which is a useful aspect of this method) -- the  
risks of NOT using https are much lower.

-- Dick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080401/76317219/attachment-0002.htm>

From james at jamesh.id.au  Wed Apr  2 05:27:54 2008
From: james at jamesh.id.au (James Henstridge)
Date: Wed, 2 Apr 2008 13:27:54 +0800
Subject: Using email address as OpenID identifier
In-Reply-To: <042601c8947d$5e23da90$1a6b8fb0$@com>
References: <03d401c89469$86c56720$94503560$@com>
	<1076e6c00804011937n6a2610b3h4dc64b1ae3a109c@mail.gmail.com>
	<042601c8947d$5e23da90$1a6b8fb0$@com>
Message-ID: <a7e835d40804012227x7cc02568k78112390b986b5f5@mail.gmail.com>

On 02/04/2008, Paul E. Jones <paulej at packetizer.com> wrote:
> Brad,
>
> Your point about DNS limitations is valid.  Then again, anybody who will be
> offering the open identity server is likely going to have control over their
> DNS.  Still, I'm not opposed to alternatives.
>
> But, since you brought up the fact that one can enter yahoo.com and get
> redirected, I checked and, indeed, several OpenID sites already accept the
> e-mail ID as a form of identification?and I can get redirected to either
> Yahoo or MyOpenID.com.  So, do some of the libraries already check for
> e-mail address forms?  It seems that perhaps they do!

What you are seeing is probably not what you expect:

>>> from openid.consumer.discover import discover
>>> claimed_id, services = discover('anything at yahoo.com')
>>> for service in services:
...     print 'Local ID:', service.getLocalID()
...     print 'Server URL:', service.server_url
...
Local ID: None
Server URL: https://open.login.yahooapis.com/openid/op/auth
>>> claimed_id
'http://www.yahoo.com/'

What is happening is that "anything at yahoo.com" is being treated as
"http://anything at yahoo.com/".  As "http://yahoo.com" results in an
identifier select endpoint that will work for any Yahoo user.

Note that the HTTP username isn't being used for anything here, and
you'll get the same result by just entering "yahoo.com".  I wonder if
the Yahoo guys had considered this, or if it is just a happy accident?

James.


From paulej at packetizer.com  Wed Apr  2 06:15:04 2008
From: paulej at packetizer.com (Paul E. Jones)
Date: Wed, 2 Apr 2008 02:15:04 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <4DB698D1-C2C6-41AA-8F34-2C78523C4B3A@sxip.com>
References: <03d401c89469$86c56720$94503560$@com>	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>	<040c01c89473$8716fe00$9544fa00$@com>
	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BDA@manhattan.hueniverse.net>
	<045701c8947f$1fe3cf40$5fab6dc0$@com>
	<4DB698D1-C2C6-41AA-8F34-2C78523C4B3A@sxip.com>
Message-ID: <048401c89488$e44465d0$accd3170$@com>

Dick,

 

I'll give you that one: that's certainly easier.  But, does not cause some
confusion?  After all, one's identity is not yahoo.com, but that is the
identity provider.  Perhaps the prompts around the Internet ought to Say
"OpenID Provider:" instead? :-)

 

Presently, this variant works form some providers, but not most.  I assume
it's due to the fact they're not fully compliant with the spec yet? Or, is
there some confusion as to how this ought to work?

 

Paul

 

From: Dick Hardt [mailto:dick at sxip.com] 
Sent: Wednesday, April 02, 2008 1:09 AM
To: Paul E. Jones
Cc: 'Eran Hammer-Lahav'; specs at openid.net
Subject: Re: Using email address as OpenID identifier

 

Entering yahoo.com is even easier!

 

On 1-Apr-08, at 10:05 PM, Paul E. Jones wrote:





Eran,

 

I'm not suggesting that the address must be a real e-mail address.  I'm
suggesting that the ID has that form.  It's easier for users than
enteringhttps://me.yahoo.com/userid.  If it happens to also be one's real
e-mail address, fine.  That would be a plus for me, but I don't see that as
a requirement.

 

Paul

 

 

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Eran Hammer-Lahav
Sent: Wednesday, April 02, 2008 12:17 AM
To: specs at openid.net
Subject: RE: Using email address as OpenID identifier

 

Take a look at
http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html -
especially the list of other solutions proposed before me, as well as Brad's
proposal.

 

The thing is, you need the @gmail, @hotmail, @msn, @yahoo, @aol to support
this DNS, and they *are* the email providers.

 

EHL

 

From: Paul E. Jones [mailto:paulej at packetizer.com] 
Sent: Tuesday, April 01, 2008 11:42 PM
To: Eran Hammer-Lahav; specs at openid.net
Subject: RE: Using email address as OpenID identifier

 

Eran,

 

You're entirely correct that this is not an OpenID issue, per se.  In fact,
not a single word of text would need to be changed in the current v2 specs,
as far as I'm concerned.

 

But, I do think that it will take some of the core OpenID team members to
put a stake in the ground and say, "this is the convention that we'll
follow."  What needs to happen then is perhaps an extension written that
explains how to convert an email address to a URL.  Using NAPTR records
seems like the simplest way to do it to me, but I'm open to suggestions.

 

Perhaps it is important to say, though, that I do not think it requires the
e-mail providers to get on board with this (in my view) simpler notation.  I
could use an ID like paulej at myopenid.com and that should work, if
myopenid.com would publish the appropriate NAPTR record.  I could also
insert NAPTR records into the packetizer.com DNS server that would allow me
to use my email address, but point at my preferred OpenID provider.  In
short, just because the user at domain syntax is used does not mean that it
necessarily an e-mail address: it could be, but more importantly, it just
follows that familiar format documented in RFC 822.

 

Paul

 

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Eran Hammer-Lahav
Sent: Tuesday, April 01, 2008 10:43 PM
To: specs at openid.net
Subject: RE: Using email address as OpenID identifier

 

The beauty of the current OpenID spec is that anyone can implement it and go
live. However, with email identifiers you need email providers to support
it. If Google, Yahoo, AOL, or Microsoft announced they are adding such a
feature, I am sure the others are likely to follow. Get 2 of these 4 and
you've got something going. But the biggest issue is not picking a standard
but finding a company willing to put something out there.

 

As for the technical solutions, there are many from DNS to XRDS to a simple
template agreed by all. Brad Fitzpatrick argued at FooCamp that this is not
an OpenID issue, but a non-HTTP URI --> HTTP URI conversation. Basically if
you had a generic way of moving frommailto:user at example.com to
http://example.com/url/user (or any other URI with HTTP, the domain, and the
user), any URI can be used for OpenID.

 

But at the end this is about someone of a major email provider saying they
are interested and put out something people can use. After that I expect the
snowball to roll. So, do you know anyone? J

 

EHL

 

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Paul E. Jones
Sent: Tuesday, April 01, 2008 10:31 PM
To: specs at openid.net
Subject: Using email address as OpenID identifier

 

Folks,

 

I've seen discussion here and there on the use of the e-mail address as the
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable
by the average person, we cannot require the person to remember some very
complex identifier.  When I signed up for Yahoo's OpenID service, it
presented me with a hideously ugly URL that looked similar to a
base64-encoded string.  I could not begin to tell you what it was.
Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
ID is not one that the average user will remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly
serve as an alias.  Suppose, for example, that the DNS records at Yahoo
contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 "U" "OpenID2"
"^(.+)@(.*)$!https://me.yahoo.com/\1!i"

 

This would allow a Relaying Party to accept an e-mail address and perform a
simple transformation to get the "real" URL identifier.  Of course, this
does not mean that the existing URL or XRI identifiers are invalid, nor does
it mean that the "email address" has to be a real e-mail address.  But, this
form would certainly be far simpler for most people to deal use.

 

If something like this has been discussed and rejected, what was the reason?

 

Thanks,

Paul

 

_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080402/aa6f5ec2/attachment-0002.htm>

From james at jamesh.id.au  Wed Apr  2 06:33:53 2008
From: james at jamesh.id.au (James Henstridge)
Date: Wed, 2 Apr 2008 14:33:53 +0800
Subject: Using email address as OpenID identifier
In-Reply-To: <046e01c89480$bc19eec0$344dcc40$@com>
References: <03d401c89469$86c56720$94503560$@com>
	<a7e835d40804012130g18bd7a63gc528b38f014f39f9@mail.gmail.com>
	<046e01c89480$bc19eec0$344dcc40$@com>
Message-ID: <a7e835d40804012333t8dd3c24sbd31c43883da64ec@mail.gmail.com>

On 02/04/2008, Paul E. Jones <paulej at packetizer.com> wrote:
>  > A solution that matches closer with what the user expects would be to
>  > map "fred at example.com" to a claimed ID of "mailto:fred at example.com".
>
> The average user is not going to know what "mailto:" is.

The mailto: transition would be something done internally by the RP.
The RP could (and probably should) display email addresses without the
"mailto:" prefix to the user.

This is similar to the way RPs store persistent XRIs as the user's
claimed ID but are encouraged to display the reassignable XRI.


>  > For (2), I'd suggest a solution that maps the email address to either
>  > directly to an OpenID endpoint (using the claimed ID as local ID), or
>  > to an XRDS file.  A DNS based solution seems fine here (either your
>  > NAPTR idea, or TXT records as suggested in replies to your post).
>
>
> NAPTR queries and transformations are straight-forward.  It's just a regular
>  expression transformation from something that looks like an e-mail address
>  to the real OpenID ID.
>
>  But, again, I don't really care how it works. But, for the benefit of those
>  who are not so technically capable, I believe it's got to be super, super
>  trivial.  NAPTR would work extremely well, I think, and would be fast.  Any
>  OpenID OP could provide an e-mail style identifier and it would certainly be
>  a motivator for anybody providing e-mail service to also OpenID enable their
>  subscriber's e-mail addresses.

I don't think there is a need to introduce an HTTP identity URL here.
If you're going to use an email address as an identity, then use an
email address as an identity.

James.


From dick at sxip.com  Wed Apr  2 06:36:43 2008
From: dick at sxip.com (Dick Hardt)
Date: Tue, 1 Apr 2008 23:36:43 -0700
Subject: Using email address as OpenID identifier
In-Reply-To: <048401c89488$e44465d0$accd3170$@com>
References: <03d401c89469$86c56720$94503560$@com>	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>	<040c01c89473$8716fe00$9544fa00$@com>
	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BDA@manhattan.hueniverse.net>
	<045701c8947f$1fe3cf40$5fab6dc0$@com>
	<4DB698D1-C2C6-41AA-8F34-2C78523C4B3A@sxip.com>
	<048401c89488$e44465d0$accd3170$@com>
Message-ID: <5FBF6E50-E1E4-4994-A50A-7B0340E59529@sxip.com>


On 1-Apr-08, at 11:15 PM, Paul E. Jones wrote:

> Dick,
>
> I?ll give you that one: that?s certainly easier.  But, does not  
> cause some confusion?  After all, one?s identity is not yahoo.com,  
> but that is the identity provider.  Perhaps the prompts around the  
> Internet ought to Say ?OpenID Provider:? instead? :-)

:-) ... that label would be more accurate. There is lots of work to be  
done to make OpenID simpler for users. I think that what will be easy  
for users is something provided by the browser that lets the user  
click to initiate a login or registration. No typing is better then  
any typing! Back when we started working on the protocols we could not  
expect this kind of functionality to be in the browsers. Now that  
awareness is higher, having it built into the browser is feasible. I  
of course am biased given the work we have done with Sxipper http://sxipper.com 
  :)

>
> Presently, this variant works form some providers, but not most.  I  
> assume it?s due to the fact they?re not fully compliant with the  
> spec yet? Or, is there some confusion as to how this ought to work?

I don't think an OP is not OpenID 2.0 compliant if it does not take  
the OP as an identifier -- but I would have to reread to the spec to  
make sure.

-- Dick



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080401/9d049fe7/attachment-0002.htm>

From joseph at josephholsten.com  Wed Apr  2 08:52:10 2008
From: joseph at josephholsten.com (Joseph Anthony Pasquale Holsten)
Date: Wed, 2 Apr 2008 03:52:10 -0500
Subject: Using email address as OpenID identifier
In-Reply-To: <03d401c89469$86c56720$94503560$@com>
References: <03d401c89469$86c56720$94503560$@com>
Message-ID: <6E514F46-6262-43B3-987C-3CD5640D7DBB@josephholsten.com>

Does anyone have the time to write an email -> xrds discovery spec so  
we can formally ignore it? And so people can argue with their dns  
providers instead of on list?

http:// Joseph Holsten .com


On 02008:04:01, at 9:30CDT, Paul E. Jones wrote:

> Folks,
>
>
>
> I?ve seen discussion here and there on the use of the e-mail  
> address as the OpenID identifier.  Perhaps this one says it best:
>
> http://www.majordojo.com/2007/02/what-openid-needs.php
>
>
>
> I share many of same opinions.  If OpenID is going to be  
> practically usable by the average person, we cannot require the  
> person to remember some very complex identifier.  When I signed up  
> for Yahoo?s OpenID service, it presented me with a hideously ugly  
> URL that looked similar to a base64-encoded string.  I could not  
> begin to tell you what it was.  Fortunately, Yahoo allowed me to  
> define my own, friendlier name.  Still, the ID is not one that the  
> average user will remember or get right.
>
>
>
> While the e-mail address does not have to be the one?s ID, it can  
> certainly serve as an alias.  Suppose, for example, that the DNS  
> records at Yahoo contained the following entry:
>
>
>
>   yahoo.com. IN NAPTR 100 10 "U" "OpenID2" "^(.+)@(.*)$!https:// 
> me.yahoo.com/\1!i"
>
>
>
> This would allow a Relaying Party to accept an e-mail address and  
> perform a simple transformation to get the ?real? URL identifier.   
> Of course, this does not mean that the existing URL or XRI  
> identifiers are invalid, nor does it mean that the ?email address?  
> has to be a real e-mail address.  But, this form would certainly be  
> far simpler for most people to deal use.
>
>
>
> If something like this has been discussed and rejected, what was  
> the reason?
>
>
>
> Thanks,
>
> Paul
>
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080402/43e50052/attachment-0002.htm>

From gffletch at aol.com  Wed Apr  2 12:41:30 2008
From: gffletch at aol.com (George Fletcher)
Date: Wed, 02 Apr 2008 08:41:30 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <5FBF6E50-E1E4-4994-A50A-7B0340E59529@sxip.com>
References: <03d401c89469$86c56720$94503560$@com>	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>	<040c01c89473$8716fe00$9544fa00$@com>	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BDA@manhattan.hueniverse.net>	<045701c8947f$1fe3cf40$5fab6dc0$@com>	<4DB698D1-C2C6-41AA-8F34-2C78523C4B3A@sxip.com>	<048401c89488$e44465d0$accd3170$@com>
	<5FBF6E50-E1E4-4994-A50A-7B0340E59529@sxip.com>
Message-ID: <47F37EFA.7090001@aol.com>



Dick Hardt wrote:
>
> On 1-Apr-08, at 11:15 PM, Paul E. Jones wrote:
>> Dick,
>>  
>> I?ll give you that one: that?s certainly easier.  But, does not cause 
>> some confusion?  After all, one?s identity is not yahoo.com, but that 
>> is the identity provider.  Perhaps the prompts around the Internet 
>> ought to Say ?OpenID Provider:? instead? :-)
>
> :-) ... that label would be more accurate. There is lots of work to be 
> done to make OpenID simpler for users. I think that what will be easy 
> for users is something provided by the browser that lets the user 
> click to initiate a login or registration. No typing is better then 
> any typing! Back when we started working on the protocols we could not 
> expect this kind of functionality to be in the browsers. Now that 
> awareness is higher, having it built into the browser is feasible. I 
> of course am biased given the work we have done with Sxipper 
> http://sxipper.com :)
For the majority of users, this is probably the most likely path of 
introduction to OpenID. Note that it's not just about allowing the user 
to do something with one click, but also about being proactive and 
informing the user that they can login to a site with an identity they 
already have. This can be as simple as telling the browser "identity 
agent" (e.g. sxipper) which email addresses the user has and letting the 
identity agent figure out which OpenID's the user has that they don't 
even know about.

I think relying party sites that support OpenID could do more to make it 
clear on their home pages that they support OpenID (as often it's hidden 
behind another click). This could be as simple as some <link> tags that 
advertise support for OpenID. Maybe a <link> to the XRDS doc describing 
the services of the site. Then the identity agent can discover the 
relying party OpenID return_to endpoint and log the user in directly. 
Can be used to solve a phishing problem and makes the experience easy 
for the user.

Some related thoughts ....
   http://practicalid.blogspot.com/2007/06/clients-to-rescue.html
   
http://practicalid.blogspot.com/2007/06/passive-identity-meta-system-markup.html

Thanks,
George



From James.McGovern at thehartford.com  Wed Apr  2 13:28:59 2008
From: James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))
Date: Wed, 2 Apr 2008 09:28:59 -0400
Subject: OpenID and Yahoo
In-Reply-To: <mailman.16715.1207116949.15408.specs@openid.net>
References: <mailman.16715.1207116949.15408.specs@openid.net>
Message-ID: <9C557D8C6864CA438EF362318A3DF6D5649169@AD1HFDEXC306.ad1.prod>

 Does anyone have a perspective on Yahoo and AOL and their weak support
for OpenID? It is good that they are a provider, but shouldn't they
really also allow access based on an OpenID issued by signon.com,
myvidoop.com and others...


*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************



From dick at sxip.com  Wed Apr  2 15:43:09 2008
From: dick at sxip.com (Dick Hardt)
Date: Wed, 2 Apr 2008 08:43:09 -0700
Subject: OpenID and Yahoo
In-Reply-To: <9C557D8C6864CA438EF362318A3DF6D5649169@AD1HFDEXC306.ad1.prod>
References: <mailman.16715.1207116949.15408.specs@openid.net>
	<9C557D8C6864CA438EF362318A3DF6D5649169@AD1HFDEXC306.ad1.prod>
Message-ID: <82E585A8-5FD9-414E-AAAD-312C451131A2@sxip.com>


On 2-Apr-08, at 6:28 AM, McGovern, James F (HTSC, IT) wrote:
> Does anyone have a perspective on Yahoo and AOL and their weak support
> for OpenID? It is good that they are a provider, but shouldn't they
> really also allow access based on an OpenID issued by signon.com,
> myvidoop.com and others...

I would be much more interested in them supporting Attribute Exchange  
so that their users data could easily be consumed by other sites.

This topic was recently covered by TechCrunch[1] and I responded [2]

-- Dick

[1] http://www.techcrunch.com/2008/03/24/is-openid-being-exploited-by-the-big-internet-companies/

[2] http://identity20.com/?p=147





From paulej at packetizer.com  Wed Apr  2 16:14:07 2008
From: paulej at packetizer.com (Paul E. Jones)
Date: Wed, 2 Apr 2008 12:14:07 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <6E514F46-6262-43B3-987C-3CD5640D7DBB@josephholsten.com>
References: <03d401c89469$86c56720$94503560$@com>
	<6E514F46-6262-43B3-987C-3CD5640D7DBB@josephholsten.com>
Message-ID: <050601c894dc$942fdda0$bc8f98e0$@com>

Joseph,

 

That argument was given to me yesterday, but I don't think you really need
to worry with your DNS provider unless you're also trying to operate your
own OP.

 

Suppose, for example, you have an ID assigned by myopenid.com.  I don't know
what URI format they'll use, but let's say it is
https://myopenid.com/joseph.  Or, perhaps it's https://joseph.myopenid.com.
Whatever the format, there is always a user component to it.  So, it would
be quite simply to take the user component and put it into an e-mail ID
style like joseph at myopenid.com.  This does not necessarily mean you have an
e-mail address, but it could be an e-mail address.

 

The conversion from that form to a URI form is easily achieved via NAPTR
records similar to the one I show below.  So, before any XRDS query is
performed, the RP would see if the ID provided is an e-mail-style ID.  If
so, query for the NAPTR record and then perform the conversion from the
e-mail-style to a URL.  From there, it all works the same.  It's just a
"make it simple" enhancement that requires no changes to the core Open ID
specs.

 

Paul

 

From: Joseph Holsten [mailto:josephholsten at gmail.com] On Behalf Of Joseph
Anthony Pasquale Holsten
Sent: Wednesday, April 02, 2008 4:52 AM
To: Paul E. Jones
Cc: specs at openid.net
Subject: Re: Using email address as OpenID identifier

 

Does anyone have the time to write an email -> xrds discovery spec so we can
formally ignore it? And so people can argue with their dns providers instead
of on list?

 

http:// Joseph Holsten .com

 

 

On 02008:04:01, at 9:30CDT, Paul E. Jones wrote:





Folks,

 

I've seen discussion here and there on the use of the e-mail address as the
OpenID identifier.  Perhaps this one says it best:

http://www.majordojo.com/2007/02/what-openid-needs.php

 

I share many of same opinions.  If OpenID is going to be practically usable
by the average person, we cannot require the person to remember some very
complex identifier.  When I signed up for Yahoo's OpenID service, it
presented me with a hideously ugly URL that looked similar to a
base64-encoded string.  I could not begin to tell you what it was.
Fortunately, Yahoo allowed me to define my own, friendlier name.  Still, the
ID is not one that the average user will remember or get right.

 

While the e-mail address does not have to be the one's ID, it can certainly
serve as an alias.  Suppose, for example, that the DNS records at Yahoo
contained the following entry:

 

  yahoo.com. IN NAPTR 100 10 "U" "OpenID2"
"^(.+)@(.*)$!https://me.yahoo.com/\1!i <https://me.yahoo.com/1!i> "

 

This would allow a Relaying Party to accept an e-mail address and perform a
simple transformation to get the "real" URL identifier.  Of course, this
does not mean that the existing URL or XRI identifiers are invalid, nor does
it mean that the "email address" has to be a real e-mail address.  But, this
form would certainly be far simpler for most people to deal use.

 

If something like this has been discussed and rejected, what was the reason?

 

Thanks,

Paul

 

_______________________________________________

specs mailing list

specs at openid.net

http://openid.net/mailman/listinfo/specs

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080402/bcb9ea81/attachment-0001.htm>

From drummond.reed at cordance.net  Wed Apr  2 18:38:13 2008
From: drummond.reed at cordance.net (Drummond Reed)
Date: Wed, 2 Apr 2008 11:38:13 -0700
Subject: IDMML (was RE: Using email address as OpenID identifier)
In-Reply-To: <47F37EFA.7090001@aol.com>
Message-ID: <024501c894f0$b65a6b20$6d01a8c0@ELROND>

> > Dick Hardt wrote:
> >
> > :-) ... that label would be more accurate. There is lots of work to be
> > done to make OpenID simpler for users. I think that what will be easy
> > for users is something provided by the browser that lets the user
> > click to initiate a login or registration. No typing is better then
> > any typing! Back when we started working on the protocols we could not
> > expect this kind of functionality to be in the browsers. Now that
> > awareness is higher, having it built into the browser is feasible. I
> > of course am biased given the work we have done with Sxipper
> > http://sxipper.com :)
> For the majority of users, this is probably the most likely path of
> introduction to OpenID. Note that it's not just about allowing the user
> to do something with one click, but also about being proactive and
> informing the user that they can login to a site with an identity they
> already have. This can be as simple as telling the browser "identity
> agent" (e.g. sxipper) which email addresses the user has and letting the
> identity agent figure out which OpenID's the user has that they don't
> even know about.
> 
> George Fletcher wrote:
>
> I think relying party sites that support OpenID could do more to make it
> clear on their home pages that they support OpenID (as often it's hidden
> behind another click). This could be as simple as some <link> tags that
> advertise support for OpenID. Maybe a <link> to the XRDS doc describing
> the services of the site. Then the identity agent can discover the
> relying party OpenID return_to endpoint and log the user in directly.
> Can be used to solve a phishing problem and makes the experience easy
> for the user.
> 
> Some related thoughts ....
>    http://practicalid.blogspot.com/2007/06/clients-to-rescue.html
> 
> http://practicalid.blogspot.com/2007/06/passive-identity-meta-system-
> markup.html

George, I read your two posts with great interest...and then noticed that
they were last summer!

You are a man ahead of your time.

Where has discussion of your "IDMML" gone since your posts?

=Drummond 



From gffletch at aol.com  Wed Apr  2 18:50:26 2008
From: gffletch at aol.com (George Fletcher)
Date: Wed, 02 Apr 2008 14:50:26 -0400
Subject: IDMML (was RE: Using email address as OpenID identifier)
In-Reply-To: <024501c894f0$b65a6b20$6d01a8c0@ELROND>
References: <024501c894f0$b65a6b20$6d01a8c0@ELROND>
Message-ID: <47F3D572.6010705@aol.com>



Drummond Reed wrote:
>>> Dick Hardt wrote:
>>>
>>> :-) ... that label would be more accurate. There is lots of work to be
>>> done to make OpenID simpler for users. I think that what will be easy
>>> for users is something provided by the browser that lets the user
>>> click to initiate a login or registration. No typing is better then
>>> any typing! Back when we started working on the protocols we could not
>>> expect this kind of functionality to be in the browsers. Now that
>>> awareness is higher, having it built into the browser is feasible. I
>>> of course am biased given the work we have done with Sxipper
>>> http://sxipper.com :)
>>>       
>> For the majority of users, this is probably the most likely path of
>> introduction to OpenID. Note that it's not just about allowing the user
>> to do something with one click, but also about being proactive and
>> informing the user that they can login to a site with an identity they
>> already have. This can be as simple as telling the browser "identity
>> agent" (e.g. sxipper) which email addresses the user has and letting the
>> identity agent figure out which OpenID's the user has that they don't
>> even know about.
>>
>> George Fletcher wrote:
>>
>> I think relying party sites that support OpenID could do more to make it
>> clear on their home pages that they support OpenID (as often it's hidden
>> behind another click). This could be as simple as some <link> tags that
>> advertise support for OpenID. Maybe a <link> to the XRDS doc describing
>> the services of the site. Then the identity agent can discover the
>> relying party OpenID return_to endpoint and log the user in directly.
>> Can be used to solve a phishing problem and makes the experience easy
>> for the user.
>>
>> Some related thoughts ....
>>    http://practicalid.blogspot.com/2007/06/clients-to-rescue.html
>>
>> http://practicalid.blogspot.com/2007/06/passive-identity-meta-system-
>> markup.html
>>     
>
> George, I read your two posts with great interest...and then noticed that
> they were last summer!
>
> You are a man ahead of your time.
>
> Where has discussion of your "IDMML" gone since your posts?
>
> =Drummond
Unfortunately, not as far as I'd like :(  I've not been able to get back 
to the ideas and take them farther. With the other things that have 
happened in the last 6 months there are needed revisions. Maybe this 
could be a discussion at IIW (if there is enough interest)?

At the time there was less consensus around XRDS as a service 
"description/meta-data" markup. With that changing, the time is better 
to move this forward. I suspect there are significant synergies with 
what Peter hinted at in the work with XRDS, IDP Discovery, and SAML. It 
would be great if identity agents could be the glue that binds the 
different identity systems together for the user (until we on the 
technology side get closer to real convergence:).

Thanks,
George


From christopher at pobox.com  Wed Apr  2 20:29:48 2008
From: christopher at pobox.com (Chris Drake)
Date: Thu, 3 Apr 2008 06:29:48 +1000
Subject: IDMML (was RE: Using email address as OpenID identifier)
In-Reply-To: <024501c894f0$b65a6b20$6d01a8c0@ELROND>
References: <47F37EFA.7090001@aol.com> <024501c894f0$b65a6b20$6d01a8c0@ELROND>
Message-ID: <996955838.20080403062948@pobox.com>

Hi Drummond,

I pushed hard for RP identification for 2 or 3 months back around
October 2006.  If anyone wants to go back through the archives,
there's a pile of other important reasons to have some way that an IdP
and/or browser agent can identify an OpenID-enabled site.  The antique
thread below lists a few.  My proposal too was a <link> tag.

Kind Regards,
Chris Drake


Tuesday, November 7, 2006, 12:51:15 I, you wrote:

CD> Hi Johannes,

CD> I proposed a solution to the "single sign out" problem a month or two
CD> ago.

CD> In fact - a whole range of solutions have been proposed, and relative
CD> merits of all discussed already - does anyone have the free time to go
CD> back over the postings, extract all the knowledge & contributions, and
CD> document them all?

CD> To summarize my proposal - I was seeking a standardized OpenID RP
CD> endpoint interface into which I (as an IdP) or a software agent (eg: a
CD> browser plugin) could "post" user information - be this a login
CD> request, email change request, log-out request, account signup,
CD> account cancelation, or whatever.  My preferred implementation was a
CD> <LINK> tag placed on (and thus identifying) a login page, and within
CD> the link tag, the endpoint of the RP for accepting IdP(OP/agent)
CD> input.

CD> Kind Regards,
CD> Chris Drake


CD> Tuesday, November 7, 2006, 1:04:44 PM, you wrote:

JE>> I continue to believe that we need single-sign-out
JE>> functionality, in particular once OpenID moves up the stack for
JE>> higher-value transactions.


JE>> Some people have made the case that that is undesirable
JE>> and/or impossible; I beg to differ.


JE>> Having automatic authentication against the IdP is quite
JE>> similar to not having a password on the identity at all, in that
JE>> it reduces the confidence that we know the real-world identity of
JE>> the entity/user at the other end. In my view, there's nothing
JE>> wrong with that, but we do need to be able to convey that to
JE>> relying parties in a way that cannot be easily attacked.





JE>> On Nov 6, 2006, at 16:41, Joshua Viney wrote:

JE>> One question re: User Experience and single-sign-on comes to mind:


JE>> How do we treat users who are accessing their IdP and
JE>> Relying Parties via public computers?


JE>> Use Case:
JE>> Good User at public library wants to leave a comment on Blog X
JE>> Blog X requires the person to authenticate via OpenID
JE>> Good User enters their OpenID and successfully authenticates
JE>> via email and password (or whatever) (and authorizes the RP
JE>> ('realm' in 2.0) if necessary) at their IdP
JE>> Good User is redirected to Blog X signed in
JE>> Good User leaves comment
JE>> Good User signs out of Blog X (if sign out is even an option)
JE>> Good User then leaves the public library and goes shopping
JE>> Evil User jumps on computer and proceeds to leave comments at
JE>> any number of OpenID enabled blogs using Good User's OpenID (he
JE>> saw it while looking over Good User's shoulder, or he checks any
JE>> sites that Good User did NOT sign out of that might display his
JE>> OpenID)
JE>> Evil User, uses Good User's signed in IdP session to sign into any number of sites, etc


JE>> Outcome: Good User's reputation is ruined and his/her OpenID
JE>> is banned from a whole list of Relying Parties. Good User then
JE>> blames their IdP, the Relying Parties and OpenID as a technology
JE>> and tells everyone he/she knows not to use it blogs about it and
JE>> initiates a press release.


JE>> It may be easy to pass this off as an implementation specific
JE>> issue or as "user error", but this use case is somewhat likely for
JE>> 2 reasons:


JE>> 1. A user's OpenID URI is not necessarily a private thing
JE>> (obscurity is not security anyway)
JE>> 2. Users will be at least 1 site removed from their IdP while
JE>> accessing a Relying Party, and no one is use to signing out twice
JE>> 3. It is very very likely that IdP's will use some type of "remember me" functionality


JE>> One solution to consider would be a global sign-out feature
JE>> on relying party sites that signs users out of their IdP as well.
JE>> Another solution would be to make very specific recommendations
JE>> about messaging users who may be using public computers.






JE>> Josh Viney
JE>> http://www.eastmedia.com?--?EastMedia
JE>> http://identity.eastmedia.com?--?OpenID, Identity 2.0








JE>> _______________________________________________
JE>> user-experience mailing list
JE>> user-experience at openid.net
JE>> http://openid.net/mailman/listinfo/user-experience










Kind Regards,
Chris Drake,
=1id.com


Thursday, April 3, 2008, 4:38:13 AM, you wrote:

>> > Dick Hardt wrote:
>> >
>> > :-) ... that label would be more accurate. There is lots of work to be
>> > done to make OpenID simpler for users. I think that what will be easy
>> > for users is something provided by the browser that lets the user
>> > click to initiate a login or registration. No typing is better then
>> > any typing! Back when we started working on the protocols we could not
>> > expect this kind of functionality to be in the browsers. Now that
>> > awareness is higher, having it built into the browser is feasible. I
>> > of course am biased given the work we have done with Sxipper
>> > http://sxipper.com :)
>> For the majority of users, this is probably the most likely path of
>> introduction to OpenID. Note that it's not just about allowing the user
>> to do something with one click, but also about being proactive and
>> informing the user that they can login to a site with an identity they
>> already have. This can be as simple as telling the browser "identity
>> agent" (e.g. sxipper) which email addresses the user has and letting the
>> identity agent figure out which OpenID's the user has that they don't
>> even know about.
>> 
>> George Fletcher wrote:
>>
>> I think relying party sites that support OpenID could do more to make it
>> clear on their home pages that they support OpenID (as often it's hidden
>> behind another click). This could be as simple as some <link> tags that
>> advertise support for OpenID. Maybe a <link> to the XRDS doc describing
>> the services of the site. Then the identity agent can discover the
>> relying party OpenID return_to endpoint and log the user in directly.
>> Can be used to solve a phishing problem and makes the experience easy
>> for the user.
>> 
>> Some related thoughts ....
>>    http://practicalid.blogspot.com/2007/06/clients-to-rescue.html
>> 
>> http://practicalid.blogspot.com/2007/06/passive-identity-meta-system-
>> markup.html

DR> George, I read your two posts with great interest...and then noticed that
DR> they were last summer!

DR> You are a man ahead of your time.

DR> Where has discussion of your "IDMML" gone since your posts?

DR> =Drummond 

DR> _______________________________________________
DR> specs mailing list
DR> specs at openid.net
DR> http://openid.net/mailman/listinfo/specs





From drummond.reed at cordance.net  Wed Apr  2 22:40:37 2008
From: drummond.reed at cordance.net (Drummond Reed)
Date: Wed, 2 Apr 2008 15:40:37 -0700
Subject: IDMML (was RE: Using email address as OpenID identifier)
In-Reply-To: <996955838.20080403062948@pobox.com>
Message-ID: <02fb01c89512$93881c60$6d01a8c0@ELROND>

Chris, I remember that well, and I agree that it makes a lot of sense. I
think when this is combined with George's concept of the other ways in which
a local identity agent can assist the use, then IDMML really starts to gain
some legs.

See also my reply to George.

=Drummond 

> -----Original Message-----
> From: Chris Drake [mailto:christopher at pobox.com]
> Sent: Wednesday, April 02, 2008 1:30 PM
> To: Drummond Reed
> Cc: 'George Fletcher'; 'Dick Hardt'; specs at openid.net
> Subject: Re: IDMML (was RE: Using email address as OpenID identifier)
> 
> Hi Drummond,
> 
> I pushed hard for RP identification for 2 or 3 months back around
> October 2006.  If anyone wants to go back through the archives,
> there's a pile of other important reasons to have some way that an IdP
> and/or browser agent can identify an OpenID-enabled site.  The antique
> thread below lists a few.  My proposal too was a <link> tag.
> 
> Kind Regards,
> Chris Drake
> 
> 
> Tuesday, November 7, 2006, 12:51:15 I, you wrote:
> 
> CD> Hi Johannes,
> 
> CD> I proposed a solution to the "single sign out" problem a month or two
> CD> ago.
> 
> CD> In fact - a whole range of solutions have been proposed, and relative
> CD> merits of all discussed already - does anyone have the free time to go
> CD> back over the postings, extract all the knowledge & contributions, and
> CD> document them all?
> 
> CD> To summarize my proposal - I was seeking a standardized OpenID RP
> CD> endpoint interface into which I (as an IdP) or a software agent (eg: a
> CD> browser plugin) could "post" user information - be this a login
> CD> request, email change request, log-out request, account signup,
> CD> account cancelation, or whatever.  My preferred implementation was a
> CD> <LINK> tag placed on (and thus identifying) a login page, and within
> CD> the link tag, the endpoint of the RP for accepting IdP(OP/agent)
> CD> input.
> 
> CD> Kind Regards,
> CD> Chris Drake
> 
> 
> CD> Tuesday, November 7, 2006, 1:04:44 PM, you wrote:
> 
> JE>> I continue to believe that we need single-sign-out
> JE>> functionality, in particular once OpenID moves up the stack for
> JE>> higher-value transactions.
> 
> 
> JE>> Some people have made the case that that is undesirable
> JE>> and/or impossible; I beg to differ.
> 
> 
> JE>> Having automatic authentication against the IdP is quite
> JE>> similar to not having a password on the identity at all, in that
> JE>> it reduces the confidence that we know the real-world identity of
> JE>> the entity/user at the other end. In my view, there's nothing
> JE>> wrong with that, but we do need to be able to convey that to
> JE>> relying parties in a way that cannot be easily attacked.
> 
> 
> 
> 
> 
> JE>> On Nov 6, 2006, at 16:41, Joshua Viney wrote:
> 
> JE>> One question re: User Experience and single-sign-on comes to mind:
> 
> 
> JE>> How do we treat users who are accessing their IdP and
> JE>> Relying Parties via public computers?
> 
> 
> JE>> Use Case:
> JE>> Good User at public library wants to leave a comment on Blog X
> JE>> Blog X requires the person to authenticate via OpenID
> JE>> Good User enters their OpenID and successfully authenticates
> JE>> via email and password (or whatever) (and authorizes the RP
> JE>> ('realm' in 2.0) if necessary) at their IdP
> JE>> Good User is redirected to Blog X signed in
> JE>> Good User leaves comment
> JE>> Good User signs out of Blog X (if sign out is even an option)
> JE>> Good User then leaves the public library and goes shopping
> JE>> Evil User jumps on computer and proceeds to leave comments at
> JE>> any number of OpenID enabled blogs using Good User's OpenID (he
> JE>> saw it while looking over Good User's shoulder, or he checks any
> JE>> sites that Good User did NOT sign out of that might display his
> JE>> OpenID)
> JE>> Evil User, uses Good User's signed in IdP session to sign into any
> number of sites, etc
> 
> 
> JE>> Outcome: Good User's reputation is ruined and his/her OpenID
> JE>> is banned from a whole list of Relying Parties. Good User then
> JE>> blames their IdP, the Relying Parties and OpenID as a technology
> JE>> and tells everyone he/she knows not to use it blogs about it and
> JE>> initiates a press release.
> 
> 
> JE>> It may be easy to pass this off as an implementation specific
> JE>> issue or as "user error", but this use case is somewhat likely for
> JE>> 2 reasons:
> 
> 
> JE>> 1. A user's OpenID URI is not necessarily a private thing
> JE>> (obscurity is not security anyway)
> JE>> 2. Users will be at least 1 site removed from their IdP while
> JE>> accessing a Relying Party, and no one is use to signing out twice
> JE>> 3. It is very very likely that IdP's will use some type of "remember
> me" functionality
> 
> 
> JE>> One solution to consider would be a global sign-out feature
> JE>> on relying party sites that signs users out of their IdP as well.
> JE>> Another solution would be to make very specific recommendations
> JE>> about messaging users who may be using public computers.
> 
> 
> 
> 
> 
> 
> JE>> Josh Viney
> JE>> http://www.eastmedia.com?--?EastMedia
> JE>> http://identity.eastmedia.com?--?OpenID, Identity 2.0
> 
> 
> 
> 
> 
> 
> 
> 
> JE>> _______________________________________________
> JE>> user-experience mailing list
> JE>> user-experience at openid.net
> JE>> http://openid.net/mailman/listinfo/user-experience
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Kind Regards,
> Chris Drake,
> =1id.com
> 
> 
> Thursday, April 3, 2008, 4:38:13 AM, you wrote:
> 
> >> > Dick Hardt wrote:
> >> >
> >> > :-) ... that label would be more accurate. There is lots of work to
> be
> >> > done to make OpenID simpler for users. I think that what will be easy
> >> > for users is something provided by the browser that lets the user
> >> > click to initiate a login or registration. No typing is better then
> >> > any typing! Back when we started working on the protocols we could
> not
> >> > expect this kind of functionality to be in the browsers. Now that
> >> > awareness is higher, having it built into the browser is feasible. I
> >> > of course am biased given the work we have done with Sxipper
> >> > http://sxipper.com :)
> >> For the majority of users, this is probably the most likely path of
> >> introduction to OpenID. Note that it's not just about allowing the user
> >> to do something with one click, but also about being proactive and
> >> informing the user that they can login to a site with an identity they
> >> already have. This can be as simple as telling the browser "identity
> >> agent" (e.g. sxipper) which email addresses the user has and letting
> the
> >> identity agent figure out which OpenID's the user has that they don't
> >> even know about.
> >>
> >> George Fletcher wrote:
> >>
> >> I think relying party sites that support OpenID could do more to make
> it
> >> clear on their home pages that they support OpenID (as often it's
> hidden
> >> behind another click). This could be as simple as some <link> tags that
> >> advertise support for OpenID. Maybe a <link> to the XRDS doc describing
> >> the services of the site. Then the identity agent can discover the
> >> relying party OpenID return_to endpoint and log the user in directly.
> >> Can be used to solve a phishing problem and makes the experience easy
> >> for the user.
> >>
> >> Some related thoughts ....
> >>    http://practicalid.blogspot.com/2007/06/clients-to-rescue.html
> >>
> >> http://practicalid.blogspot.com/2007/06/passive-identity-meta-system-
> >> markup.html
> 
> DR> George, I read your two posts with great interest...and then noticed
> that
> DR> they were last summer!
> 
> DR> You are a man ahead of your time.
> 
> DR> Where has discussion of your "IDMML" gone since your posts?
> 
> DR> =Drummond
> 
> DR> _______________________________________________
> DR> specs mailing list
> DR> specs at openid.net
> DR> http://openid.net/mailman/listinfo/specs
> 
> 




From drummond.reed at cordance.net  Wed Apr  2 22:54:46 2008
From: drummond.reed at cordance.net (Drummond Reed)
Date: Wed, 2 Apr 2008 15:54:46 -0700
Subject: IDMML (was RE: Using email address as OpenID identifier)
In-Reply-To: <47F3D572.6010705@aol.com>
Message-ID: <030201c89514$8d33dcd0$6d01a8c0@ELROND>

> >> George Fletcher wrote:
> >>
> >> I think relying party sites that support OpenID could do more to make
> it
> >> clear on their home pages that they support OpenID (as often it's
> hidden
> >> behind another click). This could be as simple as some <link> tags that
> >> advertise support for OpenID. Maybe a <link> to the XRDS doc describing
> >> the services of the site. Then the identity agent can discover the
> >> relying party OpenID return_to endpoint and log the user in directly.
> >> Can be used to solve a phishing problem and makes the experience easy
> >> for the user.
> >>
> >> Some related thoughts ....
> >>    http://practicalid.blogspot.com/2007/06/clients-to-rescue.html
> >>
> >> http://practicalid.blogspot.com/2007/06/passive-identity-meta-system-
> >> markup.html
> >>
> > Drummond wrote:
> > George, I read your two posts with great interest...and then noticed
> that
> > they were last summer!
> >
> > You are a man ahead of your time.
> >
> > Where has discussion of your "IDMML" gone since your posts?
> >
> George wrote:
> Unfortunately, not as far as I'd like :(  I've not been able to get back
> to the ideas and take them farther. With the other things that have
> happened in the last 6 months there are needed revisions. Maybe this
> could be a discussion at IIW (if there is enough interest)?
> 
> At the time there was less consensus around XRDS as a service
> "description/meta-data" markup. With that changing, the time is better
> to move this forward. I suspect there are significant synergies with
> what Peter hinted at in the work with XRDS, IDP Discovery, and SAML. It
> would be great if identity agents could be the glue that binds the
> different identity systems together for the user (until we on the
> technology side get closer to real convergence:).

George, I agree that several things have evolved which could make an IDMML
practical now. Seems like a very good topic for IIW. I just put it on the
list of proposed sessions:

	http://iiw.idcommons.net/index.php/Proposed_Topics_2008a 

=Drummond 



From mart at degeneration.co.uk  Mon Apr  7 17:56:57 2008
From: mart at degeneration.co.uk (Martin Atkins)
Date: Mon, 07 Apr 2008 18:56:57 +0100
Subject: Using email address as OpenID identifier
In-Reply-To: <040c01c89473$8716fe00$9544fa00$@com>
References: <03d401c89469$86c56720$94503560$@com>	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>
	<040c01c89473$8716fe00$9544fa00$@com>
Message-ID: <47FA6069.1040800@degeneration.co.uk>

Paul E. Jones wrote:
> 
> Perhaps it is important to say, though, that I do not think it requires 
> the e-mail providers to get on board with this (in my view) simpler 
> notation.  I could use an ID like paulej at myopenid.com and that should 
> work, if myopenid.com would publish the appropriate NAPTR record.  I 
> could also insert NAPTR records into the packetizer.com DNS server that 
> would allow me to use my email address, but point at my preferred OpenID 
> provider.  In short, just because the user at domain syntax is used does 
> not mean that it necessarily an e-mail address: it could be, but more 
> importantly, it just follows that familiar format documented in RFC 822.
> 

Funnily enough, I've always percieved the fact that syntactically-valid 
but non-existant email addresses are being used as identifiers as a 
problem rather than a benefit:

  * It creates confusion for users when something looks like an email 
address but it doesn't behave as one. I've seen this sort of confusion 
with Jabber servers, where users get confused that their Jabber ID and 
email address are not the same, especially when Jabber clients say "For 
example, user at example.com" under the Jabber ID field.

  * If not all email-shaped OpenID identifiers are actually working 
mailboxes, it's likely to lead to a distressing user experience where 
the user is first asked to enter their OpenID identifier -- that is, 
their email address -- and then they're asked to enter and verify their 
email address. At this point, I expect users to at best say "Stupid 
computer! Remember what I've told you!" and at worst get confused and 
think that the OpenID identifier they entered was not correct.

  * As has often been raised in both the OpenID-with-email and in the 
Jabber circles, many people are reluctant to give up their email 
addresses to the public eye for fear of spam. Note that Yahoo.com will, 
by default, use a big opaque string as an identifier rather than the 
user's Yahoo! account name for this very reason.



From mart at degeneration.co.uk  Mon Apr  7 17:58:31 2008
From: mart at degeneration.co.uk (Martin Atkins)
Date: Mon, 07 Apr 2008 18:58:31 +0100
Subject: Using email address as OpenID identifier
In-Reply-To: <048401c89488$e44465d0$accd3170$@com>
References: <03d401c89469$86c56720$94503560$@com>	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BD3@manhattan.hueniverse.net>	<040c01c89473$8716fe00$9544fa00$@com>	<1CF0CFAED429364597531B94A3D5905C0FA1FC5BDA@manhattan.hueniverse.net>	<045701c8947f$1fe3cf40$5fab6dc0$@com>	<4DB698D1-C2C6-41AA-8F34-2C78523C4B3A@sxip.com>
	<048401c89488$e44465d0$accd3170$@com>
Message-ID: <47FA60C7.5070203@degeneration.co.uk>

Paul E. Jones wrote:
>  
> 
> I?ll give you that one: that?s certainly easier.  But, does not cause 
> some confusion?  After all, one?s identity is not yahoo.com, but that is 
> the identity provider.  Perhaps the prompts around the Internet ought to 
> Say ?OpenID Provider:? instead? :-)
> 

I propose that the caption be "Whatever your OpenID provider told you to 
enter: ".

(I joke, of course. Mostly.)



From James.McGovern at thehartford.com  Mon Apr  7 19:21:07 2008
From: James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))
Date: Mon, 7 Apr 2008 15:21:07 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <mailman.1.1207594802.11479.specs@openid.net>
References: <mailman.1.1207594802.11479.specs@openid.net>
Message-ID: <9C557D8C6864CA438EF362318A3DF6D56491D4@AD1HFDEXC306.ad1.prod>

This would require defining an OpenID SRV record in DNS. Would make
sense for someone to get this formally defined as part of IETF. Could
kinda be done in the same way that Boeing is moving forward definition
of XRI in LDAP.. 

-----Original Message-----

Message: 1
Date: Mon, 07 Apr 2008 18:56:57 +0100
From: Martin Atkins <mart at degeneration.co.uk>
Subject: Re: Using email address as OpenID identifier
To: specs at openid.net
Message-ID: <47FA6069.1040800 at degeneration.co.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Paul E. Jones wrote:
> 
> Perhaps it is important to say, though, that I do not think it 
> requires the e-mail providers to get on board with this (in my view) 
> simpler notation.  I could use an ID like paulej at myopenid.com and that

> should work, if myopenid.com would publish the appropriate NAPTR 
> record.  I could also insert NAPTR records into the packetizer.com DNS

> server that would allow me to use my email address, but point at my 
> preferred OpenID provider.  In short, just because the user at domain 
> syntax is used does not mean that it necessarily an e-mail address: it

> could be, but more importantly, it just follows that familiar format
documented in RFC 822.
> 

Funnily enough, I've always percieved the fact that syntactically-valid
but non-existant email addresses are being used as identifiers as a
problem rather than a benefit:

  * It creates confusion for users when something looks like an email
address but it doesn't behave as one. I've seen this sort of confusion
with Jabber servers, where users get confused that their Jabber ID and
email address are not the same, especially when Jabber clients say "For
example, user at example.com" under the Jabber ID field.

  * If not all email-shaped OpenID identifiers are actually working
mailboxes, it's likely to lead to a distressing user experience where
the user is first asked to enter their OpenID identifier -- that is,
their email address -- and then they're asked to enter and verify their
email address. At this point, I expect users to at best say "Stupid
computer! Remember what I've told you!" and at worst get confused and
think that the OpenID identifier they entered was not correct.

  * As has often been raised in both the OpenID-with-email and in the
Jabber circles, many people are reluctant to give up their email
addresses to the public eye for fear of spam. Note that Yahoo.com will,
by default, use a big opaque string as an identifier rather than the
user's Yahoo! account name for this very reason.




*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************



From holger at baxmann.com  Mon Apr  7 21:55:27 2008
From: holger at baxmann.com (Holger Baxmann)
Date: Mon, 7 Apr 2008 23:55:27 +0200
Subject: Using email address as OpenID identifier
In-Reply-To: <9C557D8C6864CA438EF362318A3DF6D56491D4@AD1HFDEXC306.ad1.prod>
References: <mailman.1.1207594802.11479.specs@openid.net>
	<9C557D8C6864CA438EF362318A3DF6D56491D4@AD1HFDEXC306.ad1.prod>
Message-ID: <2F5F0642-B6E4-455A-831F-72AFAC3E5011@baxmann.com>

What about having an ENUM e164.org record holding not only the IP of  
an SIP-Broker, but the OpenID ID. Whatever format and syntax it might  
have.

The appropriate IETF RFC 2916  "E.164 number and DNS" could provide  
not only mangling with eMail addresses but also with telephone  
numbers: this will provide much more fun !

But seriously: mixing the POTS numbering system with the now good old  
internet identification could be a in place solution, IMHO.

2ct
.bax

Am 07.04.2008 um 21:21 schrieb McGovern, James F (HTSC, IT):
> This would require defining an OpenID SRV record in DNS. Would make
> sense for someone to get this formally defined as part of IETF. Could
> kinda be done in the same way that Boeing is moving forward definition
> of XRI in LDAP..
>
> -----Original Message-----
>
> Message: 1
> Date: Mon, 07 Apr 2008 18:56:57 +0100
> From: Martin Atkins <mart at degeneration.co.uk>
> Subject: Re: Using email address as OpenID identifier
> To: specs at openid.net
> Message-ID: <47FA6069.1040800 at degeneration.co.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Paul E. Jones wrote:
>>
>> Perhaps it is important to say, though, that I do not think it
>> requires the e-mail providers to get on board with this (in my view)
>> simpler notation.  I could use an ID like paulej at myopenid.com and  
>> that
>
>> should work, if myopenid.com would publish the appropriate NAPTR
>> record.  I could also insert NAPTR records into the packetizer.com  
>> DNS
>
>> server that would allow me to use my email address, but point at my
>> preferred OpenID provider.  In short, just because the user at domain
>> syntax is used does not mean that it necessarily an e-mail address:  
>> it
>
>> could be, but more importantly, it just follows that familiar format
> documented in RFC 822.
>>
>
> Funnily enough, I've always percieved the fact that syntactically- 
> valid
> but non-existant email addresses are being used as identifiers as a
> problem rather than a benefit:
>
>  * It creates confusion for users when something looks like an email
> address but it doesn't behave as one. I've seen this sort of confusion
> with Jabber servers, where users get confused that their Jabber ID and
> email address are not the same, especially when Jabber clients say  
> "For
> example, user at example.com" under the Jabber ID field.
>
>  * If not all email-shaped OpenID identifiers are actually working
> mailboxes, it's likely to lead to a distressing user experience where
> the user is first asked to enter their OpenID identifier -- that is,
> their email address -- and then they're asked to enter and verify  
> their
> email address. At this point, I expect users to at best say "Stupid
> computer! Remember what I've told you!" and at worst get confused and
> think that the OpenID identifier they entered was not correct.
>
>  * As has often been raised in both the OpenID-with-email and in the
> Jabber circles, many people are reluctant to give up their email
> addresses to the public eye for fear of spam. Note that Yahoo.com  
> will,
> by default, use a big opaque string as an identifier rather than the
> user's Yahoo! account name for this very reason.
>
>
>
>
> *************************************************************************
> This communication, including attachments, is
> for the exclusive use of addressee and may contain proprietary,
> confidential and/or privileged information.  If you are not the  
> intended
> recipient, any use, copying, disclosure, dissemination or  
> distribution is
> strictly prohibited.  If you are not the intended recipient, please  
> notify
> the sender immediately by return e-mail, delete this communication and
> destroy all copies.
> *************************************************************************
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs



From hexayurt at gmail.com  Wed Apr  9 09:52:53 2008
From: hexayurt at gmail.com (Vinay Gupta)
Date: Wed, 9 Apr 2008 11:52:53 +0200
Subject: Google OpenID is now live
Message-ID: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>

http://openid-provider.appspot.com/

Somebody used their app hosting service and implemented an OpenID  
provider.

That kind of changes things, doesn't it?

Vinay








-- 
Vinay Gupta - Designer, Hexayurt Project - an excellent public domain  
refugee shelter system
Gizmo Project VOIP: 775-743-1851 (usually  
works!)                       http://hexayurt.com/
Cell: Iceland (+354) 869-4605                                     
Skype/Gizmo/Gtalk: hexayurt
People with courage and character always seem sinister to the  
rest              Herman Hesse


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080409/0fc100f2/attachment-0002.htm>

From paulmadsen at rogers.com  Wed Apr  9 11:49:51 2008
From: paulmadsen at rogers.com (Paul Madsen)
Date: Wed, 09 Apr 2008 07:49:51 -0400
Subject: Google OpenID is now live
In-Reply-To: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>
References: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>
Message-ID: <47FCAD5F.1020701@rogers.com>

I expect Google might have a (legal) opinion on characterizing this 
application as 'Google OpenID'

I think I'll wait for Google itself to enable my Gmail as an OpenID.

paul

Vinay Gupta wrote:
> http://openid-provider.appspot.com/
>
> Somebody used their app hosting service and implemented an OpenID 
> provider.
>
> That kind of changes things, doesn't it?
>
> Vinay
>
>
>
>
>
>
>
>
> -- 
> Vinay Gupta - Designer, Hexayurt Project - an excellent public domain 
> refugee shelter system
> Gizmo Project VOIP: 775-743-1851 (usually works!)                      
>  http://hexayurt.com/
> Cell: Iceland (+354) 869-4605                                   
>  Skype/Gizmo/Gtalk: hexayurt 
> People with courage and character always seem sinister to the rest    
>           Herman Hesse
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>   
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG. 
> Version: 7.5.519 / Virus Database: 269.22.9/1365 - Release Date: 4/8/2008 7:30 AM
>   

-- 
Paul Madsen            e:paulmadsen @ ntt-at.com
NTT                    p:613-482-0432
                       m:613-282-8647
                       aim:PaulMdsn5
                       web:connectid.blogspot.com 



From i.akhund at gmail.com  Wed Apr  9 13:09:00 2008
From: i.akhund at gmail.com (Immad Akhund)
Date: Wed, 9 Apr 2008 14:09:00 +0100
Subject: Google OpenID is now live
In-Reply-To: <47FCAD5F.1020701@rogers.com>
References: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>
	<47FCAD5F.1020701@rogers.com>
Message-ID: <1a338f430804090609m654a6ee3p525796f0771e6624@mail.gmail.com>

When Google eventually does make a proper OpenID provider all the OpenIDs
provided by openid-provider.appspot.com would not match.

Would get very confusing apart from advanced users that understand the
distinction.

Immad

On Wed, Apr 9, 2008 at 12:49 PM, Paul Madsen <paulmadsen at rogers.com> wrote:

> I expect Google might have a (legal) opinion on characterizing this
> application as 'Google OpenID'
>
> I think I'll wait for Google itself to enable my Gmail as an OpenID.
>
> paul
>
> Vinay Gupta wrote:
> > http://openid-provider.appspot.com/
> >
> > Somebody used their app hosting service and implemented an OpenID
> > provider.
> >
> > That kind of changes things, doesn't it?
> >
> > Vinay
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > Vinay Gupta - Designer, Hexayurt Project - an excellent public domain
> > refugee shelter system
> > Gizmo Project VOIP: 775-743-1851 (usually works!)
> >  http://hexayurt.com/
> > Cell: Iceland (+354) 869-4605
> >  Skype/Gizmo/Gtalk: hexayurt
> > People with courage and character always seem sinister to the rest
> >           Herman Hesse
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > specs mailing list
> > specs at openid.net
> > http://openid.net/mailman/listinfo/specs
> >
> > ------------------------------------------------------------------------
> >
> > No virus found in this incoming message.
> > Checked by AVG.
> > Version: 7.5.519 / Virus Database: 269.22.9/1365 - Release Date:
> 4/8/2008 7:30 AM
> >
>
> --
> Paul Madsen            e:paulmadsen @ ntt-at.com
> NTT                    p:613-482-0432
>                       m:613-282-8647
>                       aim:PaulMdsn5
>                       web:connectid.blogspot.com
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>



-- 
Cell: +1 617 460 7271
Skype: i.akhund
Blog: http://immadsnewworld.com

Clickpass, CTO
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080409/a5c7f18d/attachment-0002.htm>

From john at extremeswank.com  Wed Apr  9 17:45:11 2008
From: john at extremeswank.com (John Ehn)
Date: Wed, 9 Apr 2008 13:45:11 -0400
Subject: Google OpenID is now live
In-Reply-To: <1a338f430804090609m654a6ee3p525796f0771e6624@mail.gmail.com>
References: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>
	<47FCAD5F.1020701@rogers.com>
	<1a338f430804090609m654a6ee3p525796f0771e6624@mail.gmail.com>
Message-ID: <ce0d6bdf0804091045l4c463875qf9717f27b8e861ea@mail.gmail.com>

I agree.  I think this is an excellent technology demonstration, but it is a
third-party, not Google, that is enabling the ID.

John

2008/4/9 Immad Akhund <i.akhund at gmail.com>:

> When Google eventually does make a proper OpenID provider all the OpenIDs
> provided by openid-provider.appspot.com would not match.
>
> Would get very confusing apart from advanced users that understand the
> distinction.
>
> Immad
>
>
> On Wed, Apr 9, 2008 at 12:49 PM, Paul Madsen <paulmadsen at rogers.com>
> wrote:
>
> > I expect Google might have a (legal) opinion on characterizing this
> > application as 'Google OpenID'
> >
> > I think I'll wait for Google itself to enable my Gmail as an OpenID.
> >
> > paul
> >
> > Vinay Gupta wrote:
> > > http://openid-provider.appspot.com/
> > >
> > > Somebody used their app hosting service and implemented an OpenID
> > > provider.
> > >
> > > That kind of changes things, doesn't it?
> > >
> > > Vinay
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > Vinay Gupta - Designer, Hexayurt Project - an excellent public domain
> > > refugee shelter system
> > > Gizmo Project VOIP: 775-743-1851 (usually works!)
> > >  http://hexayurt.com/
> > > Cell: Iceland (+354) 869-4605
> > >  Skype/Gizmo/Gtalk: hexayurt
> > > People with courage and character always seem sinister to the rest
> > >           Herman Hesse
> > >
> > >
> > >
> > ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > specs mailing list
> > > specs at openid.net
> > > http://openid.net/mailman/listinfo/specs
> > >
> > >
> > ------------------------------------------------------------------------
> > >
> > > No virus found in this incoming message.
> > > Checked by AVG.
> > > Version: 7.5.519 / Virus Database: 269.22.9/1365 - Release Date:
> > 4/8/2008 7:30 AM
> > >
> >
> > --
> > Paul Madsen            e:paulmadsen @ ntt-at.com
> > NTT                    p:613-482-0432
> >                       m:613-282-8647
> >                       aim:PaulMdsn5
> >                       web:connectid.blogspot.com
> >
> > _______________________________________________
> > specs mailing list
> > specs at openid.net
> > http://openid.net/mailman/listinfo/specs
> >
>
>
>
> --
> Cell: +1 617 460 7271
> Skype: i.akhund
> Blog: http://immadsnewworld.com
>
> Clickpass, CTO
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080409/6752e34b/attachment-0002.htm>

From paulej at packetizer.com  Wed Apr  9 18:14:01 2008
From: paulej at packetizer.com (Paul E. Jones)
Date: Wed, 9 Apr 2008 14:14:01 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <9C557D8C6864CA438EF362318A3DF6D56491D4@AD1HFDEXC306.ad1.prod>
References: <mailman.1.1207594802.11479.specs@openid.net>
	<9C557D8C6864CA438EF362318A3DF6D56491D4@AD1HFDEXC306.ad1.prod>
Message-ID: <03c001c89a6d$7d1f86b0$775e9410$@com>

James,

I don't think we need SRV records to do this.  NAPTR would suffice, as that
would allow one to transform one string into another.

But, it seems that there is an overwhelming preference for using some kind
of string of undetermined structure to identify a user which is not of an
e-mail format.  (I know there is an intent to use a URI, but most users have
no idea what a URI is and few really type them properly.)

So, while I still think the form user at provider is better for the user
world-wide community, I understand the counter-arguments.  And, perhaps I'll
be proven wrong-- which is OK.

Paul

> -----Original Message-----
> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
> Behalf Of McGovern, James F (HTSC, IT)
> Sent: Monday, April 07, 2008 3:21 PM
> To: specs at openid.net
> Subject: Using email address as OpenID identifier
> 
> This would require defining an OpenID SRV record in DNS. Would make
> sense for someone to get this formally defined as part of IETF. Could
> kinda be done in the same way that Boeing is moving forward definition
> of XRI in LDAP..
> 
> -----Original Message-----
> 
> Message: 1
> Date: Mon, 07 Apr 2008 18:56:57 +0100
> From: Martin Atkins <mart at degeneration.co.uk>
> Subject: Re: Using email address as OpenID identifier
> To: specs at openid.net
> Message-ID: <47FA6069.1040800 at degeneration.co.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> Paul E. Jones wrote:
> >
> > Perhaps it is important to say, though, that I do not think it
> > requires the e-mail providers to get on board with this (in my view)
> > simpler notation.  I could use an ID like paulej at myopenid.com and
> that
> 
> > should work, if myopenid.com would publish the appropriate NAPTR
> > record.  I could also insert NAPTR records into the packetizer.com
> DNS
> 
> > server that would allow me to use my email address, but point at my
> > preferred OpenID provider.  In short, just because the user at domain
> > syntax is used does not mean that it necessarily an e-mail address:
> it
> 
> > could be, but more importantly, it just follows that familiar format
> documented in RFC 822.
> >
> 
> Funnily enough, I've always percieved the fact that syntactically-valid
> but non-existant email addresses are being used as identifiers as a
> problem rather than a benefit:
> 
>   * It creates confusion for users when something looks like an email
> address but it doesn't behave as one. I've seen this sort of confusion
> with Jabber servers, where users get confused that their Jabber ID and
> email address are not the same, especially when Jabber clients say "For
> example, user at example.com" under the Jabber ID field.
> 
>   * If not all email-shaped OpenID identifiers are actually working
> mailboxes, it's likely to lead to a distressing user experience where
> the user is first asked to enter their OpenID identifier -- that is,
> their email address -- and then they're asked to enter and verify their
> email address. At this point, I expect users to at best say "Stupid
> computer! Remember what I've told you!" and at worst get confused and
> think that the OpenID identifier they entered was not correct.
> 
>   * As has often been raised in both the OpenID-with-email and in the
> Jabber circles, many people are reluctant to give up their email
> addresses to the public eye for fear of spam. Note that Yahoo.com will,
> by default, use a big opaque string as an identifier rather than the
> user's Yahoo! account name for this very reason.
> 
> 
> 
> 
> ***********************************************************************
> **
> This communication, including attachments, is
> for the exclusive use of addressee and may contain proprietary,
> confidential and/or privileged information.  If you are not the
> intended
> recipient, any use, copying, disclosure, dissemination or distribution
> is
> strictly prohibited.  If you are not the intended recipient, please
> notify
> the sender immediately by return e-mail, delete this communication and
> destroy all copies.
> ***********************************************************************
> **
> 
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
> 




From hexayurt at gmail.com  Wed Apr  9 18:27:22 2008
From: hexayurt at gmail.com (Vinay Gupta)
Date: Wed, 9 Apr 2008 20:27:22 +0200
Subject: Google OpenID is now live
In-Reply-To: <ce0d6bdf0804091045l4c463875qf9717f27b8e861ea@mail.gmail.com>
References: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>
	<47FCAD5F.1020701@rogers.com>
	<1a338f430804090609m654a6ee3p525796f0771e6624@mail.gmail.com>
	<ce0d6bdf0804091045l4c463875qf9717f27b8e861ea@mail.gmail.com>
Message-ID: <5CFBA7EB-D57F-4992-BA61-AE9876769E4C@gmail.com>


I think that kind of misses the point. The *namespace* that google  
manages is now open for business as an OpenID provider. It's an  
unanticipated side-effect of the APIs.

I think it's kind of a big deal, actually, in terms of how OpenID is  
right from an engineering perspective and how it can spread in  
unexpected ways. If only login were so easy.

Vinay







-- 
Vinay Gupta - Designer, Hexayurt Project - an excellent public domain  
refugee shelter system
Gizmo Project VOIP: 775-743-1851 (usually  
works!)                       http://hexayurt.com/
Cell: Iceland (+354) 869-4605                                     
Skype/Gizmo/Gtalk: hexayurt
People with courage and character always seem sinister to the  
rest              Herman Hesse


On Apr 9, 2008, at 7:45 PM, John Ehn wrote:

> I agree.  I think this is an excellent technology demonstration,  
> but it is a third-party, not Google, that is enabling the ID.
>
> John
>
> 2008/4/9 Immad Akhund <i.akhund at gmail.com>:
> When Google eventually does make a proper OpenID provider all the  
> OpenIDs provided by openid-provider.appspot.com would not match.
>
> Would get very confusing apart from advanced users that understand  
> the distinction.
>
> Immad
>
>
> On Wed, Apr 9, 2008 at 12:49 PM, Paul Madsen  
> <paulmadsen at rogers.com> wrote:
> I expect Google might have a (legal) opinion on characterizing this
> application as 'Google OpenID'
>
> I think I'll wait for Google itself to enable my Gmail as an OpenID.
>
> paul
>
> Vinay Gupta wrote:
> > http://openid-provider.appspot.com/
> >
> > Somebody used their app hosting service and implemented an OpenID
> > provider.
> >
> > That kind of changes things, doesn't it?
> >
> > Vinay
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > Vinay Gupta - Designer, Hexayurt Project - an excellent public  
> domain
> > refugee shelter system
> > Gizmo Project VOIP: 775-743-1851 (usually works!)
> >  http://hexayurt.com/
> > Cell: Iceland (+354) 869-4605
> >  Skype/Gizmo/Gtalk: hexayurt
> > People with courage and character always seem sinister to the rest
> >           Herman Hesse
> >
> >
> >  
> ---------------------------------------------------------------------- 
> --
> >
> > _______________________________________________
> > specs mailing list
> > specs at openid.net
> > http://openid.net/mailman/listinfo/specs
> >
> >  
> ---------------------------------------------------------------------- 
> --
> >
> > No virus found in this incoming message.
> > Checked by AVG.
> > Version: 7.5.519 / Virus Database: 269.22.9/1365 - Release Date:  
> 4/8/2008 7:30 AM
> >
>
> --
> Paul Madsen            e:paulmadsen @ ntt-at.com
> NTT                    p:613-482-0432
>                       m:613-282-8647
>                       aim:PaulMdsn5
>                       web:connectid.blogspot.com
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>
>
> -- 
> Cell: +1 617 460 7271
> Skype: i.akhund
> Blog: http://immadsnewworld.com
>
> Clickpass, CTO
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080409/e4f92c45/attachment-0001.htm>

From paulmadsen at rogers.com  Wed Apr  9 18:36:04 2008
From: paulmadsen at rogers.com (Paul Madsen)
Date: Wed, 09 Apr 2008 14:36:04 -0400
Subject: Google OpenID is now live
In-Reply-To: <5CFBA7EB-D57F-4992-BA61-AE9876769E4C@gmail.com>
References: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>	<47FCAD5F.1020701@rogers.com>	<1a338f430804090609m654a6ee3p525796f0771e6624@mail.gmail.com>	<ce0d6bdf0804091045l4c463875qf9717f27b8e861ea@mail.gmail.com>
	<5CFBA7EB-D57F-4992-BA61-AE9876769E4C@gmail.com>
Message-ID: <47FD0C94.4000403@rogers.com>

if and when Google manages its own namespace as OpenIDs, I hope they 
provide more consistent QoS - I havent seen this one work yet

paul

Vinay Gupta wrote:
>
> I think that kind of misses the point. The *namespace* that google 
> manages is now open for business as an OpenID provider. It's an 
> unanticipated side-effect of the APIs.
>
> I think it's kind of a big deal, actually, in terms of how OpenID is 
> right from an engineering perspective and how it can spread in 
> unexpected ways. If only login were so easy.
>
> Vinay
>
>
>
>
>
>
>
> -- 
> Vinay Gupta - Designer, Hexayurt Project - an excellent public domain 
> refugee shelter system
> Gizmo Project VOIP: 775-743-1851 (usually works!)                      
>  http://hexayurt.com/
> Cell: Iceland (+354) 869-4605                                   
>  Skype/Gizmo/Gtalk: hexayurt 
> People with courage and character always seem sinister to the rest    
>           Herman Hesse
>
>
> On Apr 9, 2008, at 7:45 PM, John Ehn wrote:
>> I agree.  I think this is an excellent technology demonstration, but 
>> it is a third-party, not Google, that is enabling the ID.
>>  
>> John
>>
>> 2008/4/9 Immad Akhund <i.akhund at gmail.com <mailto:i.akhund at gmail.com>>:
>>
>>     When Google eventually does make a proper OpenID provider all the
>>     OpenIDs provided by openid-provider.appspot.com
>>     <http://openid-provider.appspot.com/> would not match.
>>
>>     Would get very confusing apart from advanced users that
>>     understand the distinction.
>>
>>     Immad
>>
>>
>>     On Wed, Apr 9, 2008 at 12:49 PM, Paul Madsen
>>     <paulmadsen at rogers.com <mailto:paulmadsen at rogers.com>> wrote:
>>
>>         I expect Google might have a (legal) opinion on
>>         characterizing this
>>         application as 'Google OpenID'
>>
>>         I think I'll wait for Google itself to enable my Gmail as an
>>         OpenID.
>>
>>         paul
>>
>>         Vinay Gupta wrote:
>>         > http://openid-provider.appspot.com/
>>         >
>>         > Somebody used their app hosting service and implemented an
>>         OpenID
>>         > provider.
>>         >
>>         > That kind of changes things, doesn't it?
>>         >
>>         > Vinay
>>         >
>>         >
>>         >
>>         >
>>         >
>>         >
>>         >
>>         >
>>         > --
>>         > Vinay Gupta - Designer, Hexayurt Project - an excellent
>>         public domain
>>         > refugee shelter system
>>         > Gizmo Project VOIP: 775-743-1851 (usually works!)
>>         >  http://hexayurt.com/
>>         > Cell: Iceland (+354) 869-4605
>>         >  Skype/Gizmo/Gtalk: hexayurt
>>         > People with courage and character always seem sinister to
>>         the rest
>>         >           Herman Hesse
>>         >
>>         >
>>         >
>>         ------------------------------------------------------------------------
>>         >
>>         > _______________________________________________
>>         > specs mailing list
>>         > specs at openid.net <mailto:specs at openid.net>
>>         > http://openid.net/mailman/listinfo/specs
>>         >
>>         >
>>         ------------------------------------------------------------------------
>>         >
>>         > No virus found in this incoming message.
>>         > Checked by AVG.
>>         > Version: 7.5.519 / Virus Database: 269.22.9/1365 - Release
>>         Date: 4/8/2008 7:30 AM
>>         >
>>
>>         --
>>         Paul Madsen            e:paulmadsen @ ntt-at.com
>>         <http://ntt-at.com/>
>>         NTT                    p:613-482-0432
>>                               m:613-282-8647
>>                               aim:PaulMdsn5
>>                               web:connectid.blogspot.com
>>         <http://connectid.blogspot.com/>
>>
>>         _______________________________________________
>>         specs mailing list
>>         specs at openid.net <mailto:specs at openid.net>
>>         http://openid.net/mailman/listinfo/specs
>>
>>
>>
>>
>>     -- 
>>     Cell: +1 617 460 7271
>>     Skype: i.akhund
>>     Blog: http://immadsnewworld.com <http://immadsnewworld.com/>
>>
>>     Clickpass, CTO
>>     _______________________________________________
>>     specs mailing list
>>     specs at openid.net <mailto:specs at openid.net>
>>     http://openid.net/mailman/listinfo/specs
>>
>>
>> _______________________________________________
>> specs mailing list
>> specs at openid.net <mailto:specs at openid.net>
>> http://openid.net/mailman/listinfo/specs
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>   
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG. 
> Version: 7.5.519 / Virus Database: 269.22.10/1367 - Release Date: 4/9/2008 7:10 AM
>   

-- 
Paul Madsen            e:paulmadsen @ ntt-at.com
NTT                    p:613-482-0432
                       m:613-282-8647
                       aim:PaulMdsn5
                       web:connectid.blogspot.com 



From jpanzer at acm.org  Thu Apr 10 05:47:51 2008
From: jpanzer at acm.org (John Panzer)
Date: Wed, 09 Apr 2008 22:47:51 -0700
Subject: Google OpenID is now live
In-Reply-To: <5CFBA7EB-D57F-4992-BA61-AE9876769E4C@gmail.com>
References: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>	<47FCAD5F.1020701@rogers.com>	<1a338f430804090609m654a6ee3p525796f0771e6624@mail.gmail.com>	<ce0d6bdf0804091045l4c463875qf9717f27b8e861ea@mail.gmail.com>
	<5CFBA7EB-D57F-4992-BA61-AE9876769E4C@gmail.com>
Message-ID: <47FDAA07.3000800@acm.org>

Any sufficiently advanced web site system is indistinguishable from an OP.

Or, rather, can be turned into an OP. :)

Vinay Gupta wrote:
>
> I think that kind of misses the point. The *namespace* that google 
> manages is now open for business as an OpenID provider. It's an 
> unanticipated side-effect of the APIs.
>
> I think it's kind of a big deal, actually, in terms of how OpenID is 
> right from an engineering perspective and how it can spread in 
> unexpected ways. If only login were so easy.
>
> Vinay
>
>
>
>
>
>
>
> -- 
> Vinay Gupta - Designer, Hexayurt Project - an excellent public domain 
> refugee shelter system
> Gizmo Project VOIP: 775-743-1851 (usually works!)                      
>  http://hexayurt.com/
> Cell: Iceland (+354) 869-4605                                   
>  Skype/Gizmo/Gtalk: hexayurt 
> People with courage and character always seem sinister to the rest    
>           Herman Hesse
>
>
> On Apr 9, 2008, at 7:45 PM, John Ehn wrote:
>> I agree.  I think this is an excellent technology demonstration, but 
>> it is a third-party, not Google, that is enabling the ID.
>>  
>> John
>>
>> 2008/4/9 Immad Akhund <i.akhund at gmail.com <mailto:i.akhund at gmail.com>>:
>>
>>     When Google eventually does make a proper OpenID provider all the
>>     OpenIDs provided by openid-provider.appspot.com
>>     <http://openid-provider.appspot.com/> would not match.
>>
>>     Would get very confusing apart from advanced users that
>>     understand the distinction.
>>
>>     Immad
>>
>>
>>     On Wed, Apr 9, 2008 at 12:49 PM, Paul Madsen
>>     <paulmadsen at rogers.com <mailto:paulmadsen at rogers.com>> wrote:
>>
>>         I expect Google might have a (legal) opinion on
>>         characterizing this
>>         application as 'Google OpenID'
>>
>>         I think I'll wait for Google itself to enable my Gmail as an
>>         OpenID.
>>
>>         paul
>>
>>         Vinay Gupta wrote:
>>         > http://openid-provider.appspot.com/
>>         >
>>         > Somebody used their app hosting service and implemented an
>>         OpenID
>>         > provider.
>>         >
>>         > That kind of changes things, doesn't it?
>>         >
>>         > Vinay
>>         >
>>         >
>>         >
>>         >
>>         >
>>         >
>>         >
>>         >
>>         > --
>>         > Vinay Gupta - Designer, Hexayurt Project - an excellent
>>         public domain
>>         > refugee shelter system
>>         > Gizmo Project VOIP: 775-743-1851 (usually works!)
>>         >  http://hexayurt.com/
>>         > Cell: Iceland (+354) 869-4605
>>         >  Skype/Gizmo/Gtalk: hexayurt
>>         > People with courage and character always seem sinister to
>>         the rest
>>         >           Herman Hesse
>>         >
>>         >
>>         >
>>         ------------------------------------------------------------------------
>>         >
>>         > _______________________________________________
>>         > specs mailing list
>>         > specs at openid.net <mailto:specs at openid.net>
>>         > http://openid.net/mailman/listinfo/specs
>>         >
>>         >
>>         ------------------------------------------------------------------------
>>         >
>>         > No virus found in this incoming message.
>>         > Checked by AVG.
>>         > Version: 7.5.519 / Virus Database: 269.22.9/1365 - Release
>>         Date: 4/8/2008 7:30 AM
>>         >
>>
>>         --
>>         Paul Madsen            e:paulmadsen @ ntt-at.com
>>         <http://ntt-at.com/>
>>         NTT                    p:613-482-0432
>>                               m:613-282-8647
>>                               aim:PaulMdsn5
>>                               web:connectid.blogspot.com
>>         <http://connectid.blogspot.com/>
>>
>>         _______________________________________________
>>         specs mailing list
>>         specs at openid.net <mailto:specs at openid.net>
>>         http://openid.net/mailman/listinfo/specs
>>
>>
>>
>>
>>     -- 
>>     Cell: +1 617 460 7271
>>     Skype: i.akhund
>>     Blog: http://immadsnewworld.com <http://immadsnewworld.com/>
>>
>>     Clickpass, CTO
>>     _______________________________________________
>>     specs mailing list
>>     specs at openid.net <mailto:specs at openid.net>
>>     http://openid.net/mailman/listinfo/specs
>>
>>
>> _______________________________________________
>> specs mailing list
>> specs at openid.net <mailto:specs at openid.net>
>> http://openid.net/mailman/listinfo/specs
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080409/4e217c91/attachment-0002.htm>

From james at jamesh.id.au  Thu Apr 10 07:40:50 2008
From: james at jamesh.id.au (James Henstridge)
Date: Thu, 10 Apr 2008 15:40:50 +0800
Subject: Google OpenID is now live
In-Reply-To: <5CFBA7EB-D57F-4992-BA61-AE9876769E4C@gmail.com>
References: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>
	<47FCAD5F.1020701@rogers.com>
	<1a338f430804090609m654a6ee3p525796f0771e6624@mail.gmail.com>
	<ce0d6bdf0804091045l4c463875qf9717f27b8e861ea@mail.gmail.com>
	<5CFBA7EB-D57F-4992-BA61-AE9876769E4C@gmail.com>
Message-ID: <a7e835d40804100040q16dbf189x36f43bf64c1812c7@mail.gmail.com>

On 10/04/2008, Vinay Gupta <hexayurt at gmail.com> wrote:
> I think that kind of misses the point. The *namespace* that google manages
> is now open for business as an OpenID provider. It's an unanticipated
> side-effect of the APIs.
>
> I think it's kind of a big deal, actually, in terms of how OpenID is right
> from an engineering perspective and how it can spread in unexpected ways. If
> only login were so easy.

This service seems pretty much equivalent to Simon Willison's
idproxy.net service for Yahoo accounts.

The big difference between this sort of service and actial OpenID
Provider support from Google/Yahoo is a matter of trust.

With an OP run by Google, the user needs to trust Google.  With this
OP, the user needs to trust whoever is running the OP not to
impersonate them.  Given the lack of contact information, I'd be
hesitant to use identities managed by that service and would not
recommend others rely on it.

James.


From brad at danga.com  Thu Apr 10 13:52:44 2008
From: brad at danga.com (Brad Fitzpatrick)
Date: Thu, 10 Apr 2008 06:52:44 -0700
Subject: Google OpenID is now live
In-Reply-To: <a7e835d40804100040q16dbf189x36f43bf64c1812c7@mail.gmail.com>
References: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>
	<47FCAD5F.1020701@rogers.com>
	<1a338f430804090609m654a6ee3p525796f0771e6624@mail.gmail.com>
	<ce0d6bdf0804091045l4c463875qf9717f27b8e861ea@mail.gmail.com>
	<5CFBA7EB-D57F-4992-BA61-AE9876769E4C@gmail.com>
	<a7e835d40804100040q16dbf189x36f43bf64c1812c7@mail.gmail.com>
Message-ID: <1076e6c00804100652h782c6b96n25cba25d5ff828d6@mail.gmail.com>

On Thu, Apr 10, 2008 at 12:40 AM, James Henstridge <james at jamesh.id.au>
wrote:

> On 10/04/2008, Vinay Gupta <hexayurt at gmail.com> wrote:
> > I think that kind of misses the point. The *namespace* that google
> manages
> > is now open for business as an OpenID provider. It's an unanticipated
> > side-effect of the APIs.
> >
> > I think it's kind of a big deal, actually, in terms of how OpenID is
> right
> > from an engineering perspective and how it can spread in unexpected
> ways. If
> > only login were so easy.
>
> This service seems pretty much equivalent to Simon Willison's
> idproxy.net service for Yahoo accounts.
>
> The big difference between this sort of service and actial OpenID
> Provider support from Google/Yahoo is a matter of trust.
>
> With an OP run by Google, the user needs to trust Google.  With this
> OP, the user needs to trust whoever is running the OP not to
> impersonate them.  Given the lack of contact information, I'd be
> hesitant to use identities managed by that service and would not
> recommend others rely on it.


James,

openid-provider.appspot.com was written by a Google engineer, Ryan Barrett,
who also did most the work (including all the initial work) on Blogger's
OpenID support:

References:

http://appgallery.appspot.com/about_app?app_id=agphcHBnYWxsZXJ5chMLEgxBcHBsaWNhdGlvbnMYrwIM
http://snarfed.org/space/2008-04-07_google_app_engine_launched
http://snarfed.org/space/2007-12-02_openid_comments_in_blogger

Further, App Engine apps don't process user credentials directly.  They go
through an OpenID-like auth process with Google, who actually processes the
email/password and tells the App Engine app that somebody logged in, at what
email.  You can verify this yourself by looking at the form targets and HTTP
traffic.  See:

http://code.google.com/appengine/docs/users/

So I'd say you can pretty much trust an openid-provider.a.com assertion that
the person has a Google account.   But like others have said, it's not an
official Google product.

Brad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080410/188f08ff/attachment-0002.htm>

From james at jamesh.id.au  Thu Apr 10 14:55:08 2008
From: james at jamesh.id.au (James Henstridge)
Date: Thu, 10 Apr 2008 22:55:08 +0800
Subject: Google OpenID is now live
In-Reply-To: <1076e6c00804100652h782c6b96n25cba25d5ff828d6@mail.gmail.com>
References: <E2604998-DA96-4417-80F3-57BC5F6E2859@gmail.com>
	<47FCAD5F.1020701@rogers.com>
	<1a338f430804090609m654a6ee3p525796f0771e6624@mail.gmail.com>
	<ce0d6bdf0804091045l4c463875qf9717f27b8e861ea@mail.gmail.com>
	<5CFBA7EB-D57F-4992-BA61-AE9876769E4C@gmail.com>
	<a7e835d40804100040q16dbf189x36f43bf64c1812c7@mail.gmail.com>
	<1076e6c00804100652h782c6b96n25cba25d5ff828d6@mail.gmail.com>
Message-ID: <a7e835d40804100755jb82e2f3ndfd31bde01604487@mail.gmail.com>

On 10/04/2008, Brad Fitzpatrick <brad at danga.com> wrote:
> On Thu, Apr 10, 2008 at 12:40 AM, James Henstridge <james at jamesh.id.au>
> wrote:
>
> >
> > On 10/04/2008, Vinay Gupta <hexayurt at gmail.com> wrote:
> > > I think that kind of misses the point. The *namespace* that google
> manages
> > > is now open for business as an OpenID provider. It's an unanticipated
> > > side-effect of the APIs.
> > >
> > > I think it's kind of a big deal, actually, in terms of how OpenID is
> right
> > > from an engineering perspective and how it can spread in unexpected
> ways. If
> > > only login were so easy.
> >
> > This service seems pretty much equivalent to Simon Willison's
> > idproxy.net service for Yahoo accounts.
> >
> > The big difference between this sort of service and actial OpenID
> > Provider support from Google/Yahoo is a matter of trust.
> >
> > With an OP run by Google, the user needs to trust Google.  With this
> > OP, the user needs to trust whoever is running the OP not to
> > impersonate them.  Given the lack of contact information, I'd be
> > hesitant to use identities managed by that service and would not
> > recommend others rely on it.
>
> James,
>
> openid-provider.appspot.com was written by a Google engineer, Ryan Barrett,
> who also did most the work (including all the initial work) on Blogger's
> OpenID support:
>
> References:
>
> http://appgallery.appspot.com/about_app?app_id=agphcHBnYWxsZXJ5chMLEgxBcHBsaWNhdGlvbnMYrwIM
> http://snarfed.org/space/2008-04-07_google_app_engine_launched
> http://snarfed.org/space/2007-12-02_openid_comments_in_blogger

Okay.  It wasn't clear who was running the service just by looking at
the URL originally posted.


> Further, App Engine apps don't process user credentials directly.  They go
> through an OpenID-like auth process with Google, who actually processes the
> email/password and tells the App Engine app that somebody logged in, at what
> email.  You can verify this yourself by looking at the form targets and HTTP
> traffic.  See:
>
> http://code.google.com/appengine/docs/users/
>
> So I'd say you can pretty much trust an openid-provider.a.com assertion that
> the person has a Google account.   But like others have said, it's not an
> official Google product.

I realise that Google's authsub service doesn't reveal a user's email
+ password to the relying site (in this case
openid-provider.appspot.com).  If you are using an OpenID provider
that I control, you are trusting me not to add a backdoor that lets me
authenticate to RPs as your identity URL.  And given the way OpenID
works, I'd have a pretty good idea of which RPs to go after.

Based on the info in the links you provided it is probably safe to
trust the site not to do these things, but it is not clear from the
information on that site alone.

James.


From peter.davis at neustar.biz  Fri Apr 11 12:38:53 2008
From: peter.davis at neustar.biz (Peter Davis)
Date: Fri, 11 Apr 2008 08:38:53 -0400
Subject: Using email address as OpenID identifier
In-Reply-To: <03c001c89a6d$7d1f86b0$775e9410$@com>
References: <mailman.1.1207594802.11479.specs@openid.net>
	<9C557D8C6864CA438EF362318A3DF6D56491D4@AD1HFDEXC306.ad1.prod>
	<03c001c89a6d$7d1f86b0$775e9410$@com>
Message-ID: <C7BE5106-CA72-4C9B-94EA-73ABD74A0557@neustar.biz>

this discussion, of course, has happened before:

http://openid.net/pipermail/specs/2008-January/002104.html

And paul is correct, IMHO... NAPTR is a better and more flexible way  
to address this.  The original proposal had regex expressions in TXT  
RRs.  which, while not improper, does not have a resolver code base  
to draw from, and some well-laid groundwork for regex processing  
libraries for resolvers to use.

on the other hand, i've never want to use my email address as my  
openID, and you'd have to write a new profile which allowed the OP/RP  
to understand i can prove ownership of the identifier.

=peterd

On Apr 9, 2008, at 2:14 PM, Paul E. Jones wrote:
> James,
>
> I don't think we need SRV records to do this.  NAPTR would suffice,  
> as that
> would allow one to transform one string into another.
>
> But, it seems that there is an overwhelming preference for using  
> some kind
> of string of undetermined structure to identify a user which is not  
> of an
> e-mail format.  (I know there is an intent to use a URI, but most  
> users have
> no idea what a URI is and few really type them properly.)
>
> So, while I still think the form user at provider is better for the user
> world-wide community, I understand the counter-arguments.  And,  
> perhaps I'll
> be proven wrong-- which is OK.
>
> Paul
>
>> -----Original Message-----
>> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
>> Behalf Of McGovern, James F (HTSC, IT)
>> Sent: Monday, April 07, 2008 3:21 PM
>> To: specs at openid.net
>> Subject: Using email address as OpenID identifier
>>
>> This would require defining an OpenID SRV record in DNS. Would make
>> sense for someone to get this formally defined as part of IETF. Could
>> kinda be done in the same way that Boeing is moving forward  
>> definition
>> of XRI in LDAP..
>>
>> -----Original Message-----
>>
>> Message: 1
>> Date: Mon, 07 Apr 2008 18:56:57 +0100
>> From: Martin Atkins <mart at degeneration.co.uk>
>> Subject: Re: Using email address as OpenID identifier
>> To: specs at openid.net
>> Message-ID: <47FA6069.1040800 at degeneration.co.uk>
>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>> Paul E. Jones wrote:
>>>
>>> Perhaps it is important to say, though, that I do not think it
>>> requires the e-mail providers to get on board with this (in my view)
>>> simpler notation.  I could use an ID like paulej at myopenid.com and
>> that
>>
>>> should work, if myopenid.com would publish the appropriate NAPTR
>>> record.  I could also insert NAPTR records into the packetizer.com
>> DNS
>>
>>> server that would allow me to use my email address, but point at my
>>> preferred OpenID provider.  In short, just because the user at domain
>>> syntax is used does not mean that it necessarily an e-mail address:
>> it
>>
>>> could be, but more importantly, it just follows that familiar format
>> documented in RFC 822.
>>>
>>
>> Funnily enough, I've always percieved the fact that syntactically- 
>> valid
>> but non-existant email addresses are being used as identifiers as a
>> problem rather than a benefit:
>>
>>   * It creates confusion for users when something looks like an email
>> address but it doesn't behave as one. I've seen this sort of  
>> confusion
>> with Jabber servers, where users get confused that their Jabber ID  
>> and
>> email address are not the same, especially when Jabber clients say  
>> "For
>> example, user at example.com" under the Jabber ID field.
>>
>>   * If not all email-shaped OpenID identifiers are actually working
>> mailboxes, it's likely to lead to a distressing user experience where
>> the user is first asked to enter their OpenID identifier -- that is,
>> their email address -- and then they're asked to enter and verify  
>> their
>> email address. At this point, I expect users to at best say "Stupid
>> computer! Remember what I've told you!" and at worst get confused and
>> think that the OpenID identifier they entered was not correct.
>>
>>   * As has often been raised in both the OpenID-with-email and in the
>> Jabber circles, many people are reluctant to give up their email
>> addresses to the public eye for fear of spam. Note that Yahoo.com  
>> will,
>> by default, use a big opaque string as an identifier rather than the
>> user's Yahoo! account name for this very reason.
>>
>>
>>
>>
>> ********************************************************************* 
>> **
>> **
>> This communication, including attachments, is
>> for the exclusive use of addressee and may contain proprietary,
>> confidential and/or privileged information.  If you are not the
>> intended
>> recipient, any use, copying, disclosure, dissemination or  
>> distribution
>> is
>> strictly prohibited.  If you are not the intended recipient, please
>> notify
>> the sender immediately by return e-mail, delete this communication  
>> and
>> destroy all copies.
>> ********************************************************************* 
>> **
>> **
>>
>> _______________________________________________
>> specs mailing list
>> specs at openid.net
>> http://openid.net/mailman/listinfo/specs
>>
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs



From joseph at josephholsten.com  Fri Apr 11 22:20:58 2008
From: joseph at josephholsten.com (Joseph Holsten)
Date: Fri, 11 Apr 2008 17:20:58 -0500
Subject: Using email address as OpenID identifier
In-Reply-To: <C7BE5106-CA72-4C9B-94EA-73ABD74A0557@neustar.biz>
References: <mailman.1.1207594802.11479.specs@openid.net>
	<9C557D8C6864CA438EF362318A3DF6D56491D4@AD1HFDEXC306.ad1.prod>
	<03c001c89a6d$7d1f86b0$775e9410$@com>
	<C7BE5106-CA72-4C9B-94EA-73ABD74A0557@neustar.biz>
Message-ID: <b04855110804111520x280d6997y49c2a39b41350ac1@mail.gmail.com>

I really wish everyone would stop calling these identifiers "email
addresses." They're no more email addresses than xmpp: uris.

You aren't going to change the email standards. You will not forcibly
require email servers to recognize xrds discovery. All you're going to
get is an identifier that looks something like an email.

You may as well say that you're using jabber addresses as openids. I'm
going to stop saying you're actually speaking of XRDS document
discovery, since that seems to be over everyones head. I'm going to
stop saying the openid list isn't the place for this, since we defer
endpoint discovery to XRI discover 2.0, though we may switch to
XRDS-Simple. But seriously, get off this list.

But for goodness sakes, could you stop calling them email addresses?
They're just email-looking urls, nothing more.Unless you guys are so
crazy as to have a line like "XRDS discovery MUST verify that the
identifier accepts email," you're just not talking about email.

Respectfully and with far to much sarcasm,
http:// Joseph Holsten .com

On Fri, Apr 11, 2008 at 7:38 AM, Peter Davis <peter.davis at neustar.biz> wrote:
> this discussion, of course, has happened before:
>
> http://openid.net/pipermail/specs/2008-January/002104.html
>
> And paul is correct, IMHO... NAPTR is a better and more flexible way
> to address this.  The original proposal had regex expressions in TXT
> RRs.  which, while not improper, does not have a resolver code base
> to draw from, and some well-laid groundwork for regex processing
> libraries for resolvers to use.
>
> on the other hand, i've never want to use my email address as my
> openID, and you'd have to write a new profile which allowed the OP/RP
> to understand i can prove ownership of the identifier.
>
> =peterd
>
>
> On Apr 9, 2008, at 2:14 PM, Paul E. Jones wrote:
> > James,
> >
> > I don't think we need SRV records to do this.  NAPTR would suffice,
> > as that
> > would allow one to transform one string into another.
> >
> > But, it seems that there is an overwhelming preference for using
> > some kind
> > of string of undetermined structure to identify a user which is not
> > of an
> > e-mail format.  (I know there is an intent to use a URI, but most
> > users have
> > no idea what a URI is and few really type them properly.)
> >
> > So, while I still think the form user at provider is better for the user
> > world-wide community, I understand the counter-arguments.  And,
> > perhaps I'll
> > be proven wrong-- which is OK.
> >
> > Paul
> >
> >> -----Original Message-----
> >> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
> >> Behalf Of McGovern, James F (HTSC, IT)
> >> Sent: Monday, April 07, 2008 3:21 PM
> >> To: specs at openid.net
> >> Subject: Using email address as OpenID identifier
> >>
> >> This would require defining an OpenID SRV record in DNS. Would make
> >> sense for someone to get this formally defined as part of IETF. Could
> >> kinda be done in the same way that Boeing is moving forward
> >> definition
> >> of XRI in LDAP..
> >>
> >> -----Original Message-----
> >>
> >> Message: 1
> >> Date: Mon, 07 Apr 2008 18:56:57 +0100
> >> From: Martin Atkins <mart at degeneration.co.uk>
> >> Subject: Re: Using email address as OpenID identifier
> >> To: specs at openid.net
> >> Message-ID: <47FA6069.1040800 at degeneration.co.uk>
> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> >>
> >> Paul E. Jones wrote:
> >>>
> >>> Perhaps it is important to say, though, that I do not think it
> >>> requires the e-mail providers to get on board with this (in my view)
> >>> simpler notation.  I could use an ID like paulej at myopenid.com and
> >> that
> >>
> >>> should work, if myopenid.com would publish the appropriate NAPTR
> >>> record.  I could also insert NAPTR records into the packetizer.com
> >> DNS
> >>
> >>> server that would allow me to use my email address, but point at my
> >>> preferred OpenID provider.  In short, just because the user at domain
> >>> syntax is used does not mean that it necessarily an e-mail address:
> >> it
> >>
> >>> could be, but more importantly, it just follows that familiar format
> >> documented in RFC 822.
> >>>
> >>
> >> Funnily enough, I've always percieved the fact that syntactically-
> >> valid
> >> but non-existant email addresses are being used as identifiers as a
> >> problem rather than a benefit:
> >>
> >>   * It creates confusion for users when something looks like an email
> >> address but it doesn't behave as one. I've seen this sort of
> >> confusion
> >> with Jabber servers, where users get confused that their Jabber ID
> >> and
> >> email address are not the same, especially when Jabber clients say
> >> "For
> >> example, user at example.com" under the Jabber ID field.
> >>
> >>   * If not all email-shaped OpenID identifiers are actually working
> >> mailboxes, it's likely to lead to a distressing user experience where
> >> the user is first asked to enter their OpenID identifier -- that is,
> >> their email address -- and then they're asked to enter and verify
> >> their
> >> email address. At this point, I expect users to at best say "Stupid
> >> computer! Remember what I've told you!" and at worst get confused and
> >> think that the OpenID identifier they entered was not correct.
> >>
> >>   * As has often been raised in both the OpenID-with-email and in the
> >> Jabber circles, many people are reluctant to give up their email
> >> addresses to the public eye for fear of spam. Note that Yahoo.com
> >> will,
> >> by default, use a big opaque string as an identifier rather than the
> >> user's Yahoo! account name for this very reason.
> >>
> >>
> >>
> >>
> >> *********************************************************************
> >> **
> >> **
> >> This communication, including attachments, is
> >> for the exclusive use of addressee and may contain proprietary,
> >> confidential and/or privileged information.  If you are not the
> >> intended
> >> recipient, any use, copying, disclosure, dissemination or
> >> distribution
> >> is
> >> strictly prohibited.  If you are not the intended recipient, please
> >> notify
> >> the sender immediately by return e-mail, delete this communication
> >> and
> >> destroy all copies.
> >> *********************************************************************
> >> **
> >> **
> >>
> >> _______________________________________________
> >> specs mailing list
> >> specs at openid.net
> >> http://openid.net/mailman/listinfo/specs
> >>
> >
> >
> > _______________________________________________
> > specs mailing list
> > specs at openid.net
> > http://openid.net/mailman/listinfo/specs
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>


From Michael.Jones at microsoft.com  Fri Apr 25 20:35:41 2008
From: Michael.Jones at microsoft.com (Mike Jones)
Date: Fri, 25 Apr 2008 13:35:41 -0700
Subject: Proposal to create the PAPE working group
Message-ID: <C11F8A453DFFBE49A9F0D75873F5544607D14316@NA-EXMSG-C118.redmond.corp.microsoft.com>

In accordance with the OpenID Foundation IPR policies and procedures<http://openid.net/foundation/intellectual-property/> this note proposes the formation of a new working group chartered to produce an OpenID specification.  As per Section 4.1 of the Policies, the specifics of the proposed working group are:

Proposal:
(a)  Charter.
                (i)  WG name:  Provider Authentication Policy Extension (PAPE)
                (ii)  Purpose:  Produce a standard OpenID extension to the OpenID Authentication protocol that:  provides a mechanism by which a Relying Party can request that particular authentication policies be applied by the OpenID Provider when authenticating an End User and provides a mechanism by which an OpenID Provider may inform a Relying Party which authentication policies were used. Thus a Relying Party can request that the End User authenticate, for example, using a phishing-resistant and/or multi-factor authentication method.
                (iii)  Scope:  Produce a revision of the PAPE 1.0 Draft 2 specification that clarifies its intent, while maintaining compatibility for existing Draft 2 implementations.  Adding any support for communicating requests for or the use of specific authentication methods (as opposed to authentication policies) is explicitly out of scope.
                (iv)  Proposed List of Specifications:  Provider Authentication Policy Extension 1.0, spec completion expected during May 2008.
                (v)  Anticipated audience or users of the work:  Implementers of OpenID Providers and Relying Parties ? especially those interested in mitigating the phishing vulnerabilities of logging into OpenID providers with passwords.
                (vi)  Language in which the WG will conduct business:  English.
                (vii)  Method of work:  E-mail discussions on the working group mailing list, working group conference calls, and possibly a face-to-face meeting at the Internet Identity Workshop.
                (viii)  Basis for determining when the work of the WG is completed:  Proposed changes to draft 2 will be evaluated on the basis of whether they increase or decrease consensus within the working group.  The work will be completed once it is apparent that maximal consensus on the draft has been achieved, consistent with the purpose and scope.
(b)  Background Information.
                (i)  Related work being done in other WGs or organizations:  (1) Assurance Levels as defined by the National Institute of Standards and Technology (NIST) in Special Publication 800-63 (Burr, W., Dodson, D., and W. Polk, Ed., ?Electronic Authentication Guideline,? April 2006.) [NIST_SP800?63].  This working group is needed to enable authentication policy statements to be exchanged by OpenID endpoints.  No coordination is needed with NIST, as the PAPE specification uses elements of the NIST specification in the intended fashion.
                (ii)  Proposers:
                                Michael B. Jones, mbj at microsoft.com<mailto:mbj at microsoft.com>, Microsoft Corporation
                                David Recordon, drecordon at sixapart.com<mailto:drecordon at sixapart.com>, Six Apart Corporation
                                Ben Laurie, benl at google.com<mailto:benl at google.com>, Google Corporation
                                Drummond Reed, drummond.reed at cordance.net<mailto:drummond.reed at cordance.net>, Cordance Corporation
                                John Bradley, john.bradley at wingaa.com<mailto:john.bradley at wingaa.com>, Wingaa Corporation
                                Johnny Bufu, johnny.bufu at gmail.com<mailto:johnny.bufu at gmail.com>, Independent
Editors:
                                Michael B. Jones, mbj at microsoft.com<mailto:mbj at microsoft.com>, Microsoft Corporation
                                David Recordon, drecordon at sixapart.com<mailto:drecordon at sixapart.com>, Six Apart Corporation
                (iii)  Anticipated Contributions:  None.

====

(The rest of this note is informational and not part of the proposal to create an OpenID working group.)

Given that the OpenID specification procedures call for votes of the membership, this would be a good time for those wanting to influence the outcome of this specification to join the OpenID Foundation.  You can do so at http://openid.net/foundation/join/.  Should you wish to join the working group, you will also need to execute the Contribution Agreement at http://openid.net/foundation/intellectual-property/ once the working group formation has been approved by the membership.  After the Specifications Council has responded to this request to create a working group (which must happen within 15 days) a separate message will be sent asking those of you who are OpenID members to vote on the working group creation, containing instructions for how to do so.

                                                                -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080425/9d050a8d/attachment-0002.htm>

From hans at granqvist.com  Sat Apr 26 16:45:35 2008
From: hans at granqvist.com (Hans Granqvist)
Date: Sat, 26 Apr 2008 09:45:35 -0700
Subject: Proposal to create the PAPE working group
In-Reply-To: <C11F8A453DFFBE49A9F0D75873F5544607D14316@NA-EXMSG-C118.redmond.corp.microsoft.com>
References: <C11F8A453DFFBE49A9F0D75873F5544607D14316@NA-EXMSG-C118.redmond.corp.microsoft.com>
Message-ID: <c47f68be0804260945me28843xeb9907317e3f4a55@mail.gmail.com>

The membership application forms seem to be missing from
http://openid.net/foundation/join/.
Can someone look into it?

Thanks,
Hans



2008/4/25 Mike Jones <Michael.Jones at microsoft.com>:
>
>
>
>
> In accordance with the OpenID Foundation IPR policies and procedures this
> note proposes the formation of a new working group chartered to produce an
> OpenID specification.  As per Section 4.1 of the Policies, the specifics of
> the proposed working group are:
>
>
>
> Proposal:
>
> (a)  Charter.
>
>                 (i)  WG name:  Provider Authentication Policy Extension
> (PAPE)
>
>                 (ii)  Purpose:  Produce a standard OpenID extension to the
> OpenID Authentication protocol that:  provides a mechanism by which a
> Relying Party can request that particular authentication policies be applied
> by the OpenID Provider when authenticating an End User and provides a
> mechanism by which an OpenID Provider may inform a Relying Party which
> authentication policies were used. Thus a Relying Party can request that the
> End User authenticate, for example, using a phishing-resistant and/or
> multi-factor authentication method.
>
>                 (iii)  Scope:  Produce a revision of the PAPE 1.0 Draft 2
> specification that clarifies its intent, while maintaining compatibility for
> existing Draft 2 implementations.  Adding any support for communicating
> requests for or the use of specific authentication methods (as opposed to
> authentication policies) is explicitly out of scope.
>
>                 (iv)  Proposed List of Specifications:  Provider
> Authentication Policy Extension 1.0, spec completion expected during May
> 2008.
>
>                 (v)  Anticipated audience or users of the work:
> Implementers of OpenID Providers and Relying Parties ? especially those
> interested in mitigating the phishing vulnerabilities of logging into OpenID
> providers with passwords.
>
>                 (vi)  Language in which the WG will conduct business:
> English.
>
>                 (vii)  Method of work:  E-mail discussions on the working
> group mailing list, working group conference calls, and possibly a
> face-to-face meeting at the Internet Identity Workshop.
>
>                 (viii)  Basis for determining when the work of the WG is
> completed:  Proposed changes to draft 2 will be evaluated on the basis of
> whether they increase or decrease consensus within the working group.  The
> work will be completed once it is apparent that maximal consensus on the
> draft has been achieved, consistent with the purpose and scope.
>
> (b)  Background Information.
>
>                 (i)  Related work being done in other WGs or organizations:
> (1) Assurance Levels as defined by the National Institute of Standards and
> Technology (NIST) in Special Publication 800-63 (Burr, W., Dodson, D., and
> W. Polk, Ed., "Electronic Authentication Guideline," April 2006.)
> [NIST_SP800?63].  This working group is needed to enable authentication
> policy statements to be exchanged by OpenID endpoints.  No coordination is
> needed with NIST, as the PAPE specification uses elements of the NIST
> specification in the intended fashion.
>
>                 (ii)  Proposers:
>
>                                 Michael B. Jones, mbj at microsoft.com,
> Microsoft Corporation
>
>                                 David Recordon, drecordon at sixapart.com, Six
> Apart Corporation
>
>                                 Ben Laurie, benl at google.com, Google
> Corporation
>
>                                 Drummond Reed, drummond.reed at cordance.net,
> Cordance Corporation
>
>                                 John Bradley, john.bradley at wingaa.com,
> Wingaa Corporation
>
>                                 Johnny Bufu, johnny.bufu at gmail.com,
> Independent
>
> Editors:
>
>                                 Michael B. Jones, mbj at microsoft.com,
> Microsoft Corporation
>
>                                 David Recordon, drecordon at sixapart.com, Six
> Apart Corporation
>
>                 (iii)  Anticipated Contributions:  None.
>
>
>
> ====
>
>
>
> (The rest of this note is informational and not part of the proposal to
> create an OpenID working group.)
>
>
>
> Given that the OpenID specification procedures call for votes of the
> membership, this would be a good time for those wanting to influence the
> outcome of this specification to join the OpenID Foundation.  You can do so
> at http://openid.net/foundation/join/.  Should you wish to join the working
> group, you will also need to execute the Contribution Agreement at
> http://openid.net/foundation/intellectual-property/ once the working group
> formation has been approved by the membership.  After the Specifications
> Council has responded to this request to create a working group (which must
> happen within 15 days) a separate message will be sent asking those of you
> who are OpenID members to vote on the working group creation, containing
> instructions for how to do so.
>
>
>
>                                                                 -- Mike
>
>
> _______________________________________________
>  specs mailing list
>  specs at openid.net
>  http://openid.net/mailman/listinfo/specs
>
>

From Michael.Jones at microsoft.com  Sat Apr 26 23:20:36 2008
From: Michael.Jones at microsoft.com (Mike Jones)
Date: Sat, 26 Apr 2008 16:20:36 -0700
Subject: Proposal to create the PAPE working group
In-Reply-To: <FAE3218830F17F4BBCBB77F990247D9722EFF64443@NA-EXMSG-C118.redmond.corp.microsoft.com>
References: <FAE3218830F17F4BBCBB77F990247D9722EFF64443@NA-EXMSG-C118.redmond.corp.microsoft.com>
Message-ID: <C11F8A453DFFBE49A9F0D75873F5544607D144CC@NA-EXMSG-C118.redmond.corp.microsoft.com>

I'm pleased to report that Dick Hardt has also added his name to the list of proposers for this working group.  The list is now:
                                Michael B. Jones, mbj at microsoft.com<mailto:mbj at microsoft.com>, Microsoft Corporation
                                David Recordon, drecordon at sixapart.com<mailto:drecordon at sixapart.com>, Six Apart Corporation
                                Ben Laurie, benl at google.com<mailto:benl at google.com>, Google Corporation
                                Drummond Reed, drummond.reed at cordance.net<mailto:drummond.reed at cordance.net>, Cordance Corporation
                                John Bradley, john.bradley at wingaa.com<mailto:john.bradley at wingaa.com>, Wingaa Corporation
                                Johnny Bufu, johnny.bufu at gmail.com<mailto:johnny.bufu at gmail.com>, Independent
                                Dick Hardt, dick at sxip.com<mailto:dick at sxip.com>,  Sxip Identity Corporation

                                                -- Mike

________________________________
From: Mike Jones
Sent: Friday, April 25, 2008 1:36 PM
To: specs at openid.net
Cc: David Recordon; Ben Laurie; Drummond Reed; John Bradley; Johnny Bufu
Subject: Proposal to create the PAPE working group

In accordance with the OpenID Foundation IPR policies and procedures<http://openid.net/foundation/intellectual-property/> this note proposes the formation of a new working group chartered to produce an OpenID specification.  As per Section 4.1 of the Policies, the specifics of the proposed working group are:

Proposal:
(a)  Charter.
                (i)  WG name:  Provider Authentication Policy Extension (PAPE)
                (ii)  Purpose:  Produce a standard OpenID extension to the OpenID Authentication protocol that:  provides a mechanism by which a Relying Party can request that particular authentication policies be applied by the OpenID Provider when authenticating an End User and provides a mechanism by which an OpenID Provider may inform a Relying Party which authentication policies were used. Thus a Relying Party can request that the End User authenticate, for example, using a phishing-resistant and/or multi-factor authentication method.
                (iii)  Scope:  Produce a revision of the PAPE 1.0 Draft 2 specification that clarifies its intent, while maintaining compatibility for existing Draft 2 implementations.  Adding any support for communicating requests for or the use of specific authentication methods (as opposed to authentication policies) is explicitly out of scope.
                (iv)  Proposed List of Specifications:  Provider Authentication Policy Extension 1.0, spec completion expected during May 2008.
                (v)  Anticipated audience or users of the work:  Implementers of OpenID Providers and Relying Parties ? especially those interested in mitigating the phishing vulnerabilities of logging into OpenID providers with passwords.
                (vi)  Language in which the WG will conduct business:  English.
                (vii)  Method of work:  E-mail discussions on the working group mailing list, working group conference calls, and possibly a face-to-face meeting at the Internet Identity Workshop.
                (viii)  Basis for determining when the work of the WG is completed:  Proposed changes to draft 2 will be evaluated on the basis of whether they increase or decrease consensus within the working group.  The work will be completed once it is apparent that maximal consensus on the draft has been achieved, consistent with the purpose and scope.
(b)  Background Information.
                (i)  Related work being done in other WGs or organizations:  (1) Assurance Levels as defined by the National Institute of Standards and Technology (NIST) in Special Publication 800-63 (Burr, W., Dodson, D., and W. Polk, Ed., ?Electronic Authentication Guideline,? April 2006.) [NIST_SP800?63].  This working group is needed to enable authentication policy statements to be exchanged by OpenID endpoints.  No coordination is needed with NIST, as the PAPE specification uses elements of the NIST specification in the intended fashion.
                (ii)  Proposers:
                                Michael B. Jones, mbj at microsoft.com<mailto:mbj at microsoft.com>, Microsoft Corporation
                                David Recordon, drecordon at sixapart.com<mailto:drecordon at sixapart.com>, Six Apart Corporation
                                Ben Laurie, benl at google.com<mailto:benl at google.com>, Google Corporation
                                Drummond Reed, drummond.reed at cordance.net<mailto:drummond.reed at cordance.net>, Cordance Corporation
                                John Bradley, john.bradley at wingaa.com<mailto:john.bradley at wingaa.com>, Wingaa Corporation
                                Johnny Bufu, johnny.bufu at gmail.com<mailto:johnny.bufu at gmail.com>, Independent
Editors:
                                Michael B. Jones, mbj at microsoft.com<mailto:mbj at microsoft.com>, Microsoft Corporation
                                David Recordon, drecordon at sixapart.com<mailto:drecordon at sixapart.com>, Six Apart Corporation
                (iii)  Anticipated Contributions:  None.

====

(The rest of this note is informational and not part of the proposal to create an OpenID working group.)

Given that the OpenID specification procedures call for votes of the membership, this would be a good time for those wanting to influence the outcome of this specification to join the OpenID Foundation.  You can do so at http://openid.net/foundation/join/.  Should you wish to join the working group, you will also need to execute the Contribution Agreement at http://openid.net/foundation/intellectual-property/ once the working group formation has been approved by the membership.  After the Specifications Council has responded to this request to create a working group (which must happen within 15 days) a separate message will be sent asking those of you who are OpenID members to vote on the working group creation, containing instructions for how to do so.

                                                                -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080426/bb1d4354/attachment-0002.htm>

From john at extremeswank.com  Wed Apr 30 21:16:55 2008
From: john at extremeswank.com (John Ehn)
Date: Wed, 30 Apr 2008 17:16:55 -0400
Subject: Correct AX Namespaces
Message-ID: <ce0d6bdf0804301416j16c1828bw39357957bd1c960e@mail.gmail.com>

OpenID Colleagues,

I (and a few other people) are rather confused about the current state of
Attribute Exchange, and the default namespace URIs.  Which of the following
will be the correct namespace root for the future?

http://schema.openid.net/
http://openid.net/schema/
http://axschema.org/

- MyOpenID supports http://schema.openid.net/

- The "Attribute Properties for OpenID Attribute Exchange" spec at
http://openid.net/specs calls out http://openid.net/schema/.  I don't know
if there are any OPs that implement this version.

- axschema.org calls out http://axschema.org/

They are all functionally equivalent, but it's up to the OpenID Provider to
decide which to implement.  As a result, the Relying Party has to guess
which providers are implementing which namespace roots.  Since the default
behavior is to simply ignore the AX request if the namespace is not
recognized, we cannot tell the difference between an OpenID Provider that
doesn't support AX, and one that simply doesn't support the requested
namespace.

In researching, I found the original request to use http://schema.openid.net,
which appeared to happen summer of 2007. Since http://axschema.org/ and
http://openid.net/schema came out after that, I'm assuming that it should no
longer be relevant.  However, MyOpenID implements this namespace, so I can't
say for sure if that's really the case.

That still leaves us with three namespace roots.  Can anyone tell me which
one is now considered the standard implementation, so I don't have to build
three Attribute Exchange schema definition sets into my codebase?

Thank you,

John Ehn
extremeswank.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080430/4625bb33/attachment-0001.htm>

From dick at sxip.com  Wed Apr 30 23:23:50 2008
From: dick at sxip.com (Dick Hardt)
Date: Thu, 1 May 2008 11:23:50 +1200
Subject: Correct AX Namespaces
In-Reply-To: <ce0d6bdf0804301416j16c1828bw39357957bd1c960e@mail.gmail.com>
References: <ce0d6bdf0804301416j16c1828bw39357957bd1c960e@mail.gmail.com>
Message-ID: <866111CB-3051-488C-91DB-9DC795D81881@sxip.com>


On 1-May-08, at 9:16 AM, John Ehn wrote:

> OpenID Colleagues,
>
> I (and a few other people) are rather confused about the current  
> state of Attribute Exchange, and the default namespace URIs.  Which  
> of the following will be the correct namespace root for the future?
>
> http://schema.openid.net/
> http://openid.net/schema/
> http://axschema.org/
>
> - MyOpenID supports http://schema.openid.net/
>
> - The "Attribute Properties for OpenID Attribute Exchange" spec at http://openid.net/specs 
>  calls out http://openid.net/schema/.  I don't know if there are any  
> OPs that implement this version.

That is a boo-boo. I thought it had been fixed to NOT refer to a  
namespace.

>
> - axschema.org calls out http://axschema.org/

That is the namespace that we concluded to use on the list on the  
past. If people want, we can open up the discussion again. I agree the  
community needs to be clear on the namespace.

-- Dick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20080501/0b7e5d0d/attachment-0002.htm>