Using email address as OpenID identifier
Paul E. Jones
paulej at packetizer.com
Tue Apr 1 21:52:34 PDT 2008
Your point about DNS limitations is valid. Then again, anybody who will be offering the open identity server is likely going to have control over their DNS. Still, I’m not opposed to alternatives.
But, since you brought up the fact that one can enter yahoo.com and get redirected, I checked and, indeed, several OpenID sites already accept the e-mail ID as a form of identification—and I can get redirected to either Yahoo or MyOpenID.com. So, do some of the libraries already check for e-mail address forms? It seems that perhaps they do!
From: brad at fitzpat.com [mailto:brad at fitzpat.com] On Behalf Of Brad Fitzpatrick
Sent: Tuesday, April 01, 2008 10:38 PM
To: Paul E. Jones
Cc: specs at openid.net
Subject: Re: Using email address as OpenID identifier
This has been discussed to death and really should be a FAQ by now, but it's not written up, so I'll add a few points:
-- we should discuss this as a generic email to URL mapping problem, and ignore what is done with that URL then. yes, it could be used as an OpenID
-- that said, with directed identity in OpenID 2.0, a user just needs to type in "yahoo.com", or press the pretty yahoo button. No typing.
-- For email-to-URL, NAPTR by itself is a non-starter. Technically it may be the correct way, but average people don't control their DNS. Hell, networksolutions doesn't even let you add SRV or TXT records.
-- A good solution to email-to-URL mapping will likely involve an XRDS-Simple-style two-pronged discovery lookup path. Whereas XRDS-Simple says "try Accept header, then parse the <head> tag", a good email-to-URL lookup "protocol" (best practice?) might be to try NAPTR first, then fall back to this:
2008/4/1 Paul E. Jones <paulej at packetizer.com>:
I've seen discussion here and there on the use of the e-mail address as the OpenID identifier. Perhaps this one says it best:
I share many of same opinions. If OpenID is going to be practically usable by the average person, we cannot require the person to remember some very complex identifier. When I signed up for Yahoo's OpenID service, it presented me with a hideously ugly URL that looked similar to a base64-encoded string. I could not begin to tell you what it was. Fortunately, Yahoo allowed me to define my own, friendlier name. Still, the ID is not one that the average user will remember or get right.
While the e-mail address does not have to be the one's ID, it can certainly serve as an alias. Suppose, for example, that the DNS records at Yahoo contained the following entry:
yahoo.com. IN NAPTR 100 10 "U" "OpenID2" "^(.+)@(.*)$!https://me.yahoo.com/\1!i"
This would allow a Relaying Party to accept an e-mail address and perform a simple transformation to get the "real" URL identifier. Of course, this does not mean that the existing URL or XRI identifiers are invalid, nor does it mean that the "email address" has to be a real e-mail address. But, this form would certainly be far simpler for most people to deal use.
If something like this has been discussed and rejected, what was the reason?
specs mailing list
specs at openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the specs