Using email address as OpenID identifier

McGovern, James F (HTSC, IT) James.McGovern at thehartford.com
Mon Apr 7 19:21:07 UTC 2008 

This would require defining an OpenID SRV record in DNS. Would make
sense for someone to get this formally defined as part of IETF. Could
kinda be done in the same way that Boeing is moving forward definition
of XRI in LDAP.. 

-----Original Message-----

Message: 1
Date: Mon, 07 Apr 2008 18:56:57 +0100
From: Martin Atkins <mart at degeneration.co.uk>
Subject: Re: Using email address as OpenID identifier
To: specs at openid.net
Message-ID: <47FA6069.1040800 at degeneration.co.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Paul E. Jones wrote:
> 
> Perhaps it is important to say, though, that I do not think it 
> requires the e-mail providers to get on board with this (in my view) 
> simpler notation.  I could use an ID like paulej at myopenid.com and that

> should work, if myopenid.com would publish the appropriate NAPTR 
> record.  I could also insert NAPTR records into the packetizer.com DNS

> server that would allow me to use my email address, but point at my 
> preferred OpenID provider.  In short, just because the user at domain 
> syntax is used does not mean that it necessarily an e-mail address: it

> could be, but more importantly, it just follows that familiar format
documented in RFC 822.
> 

Funnily enough, I've always percieved the fact that syntactically-valid
but non-existant email addresses are being used as identifiers as a
problem rather than a benefit:

  * It creates confusion for users when something looks like an email
address but it doesn't behave as one. I've seen this sort of confusion
with Jabber servers, where users get confused that their Jabber ID and
email address are not the same, especially when Jabber clients say "For
example, user at example.com" under the Jabber ID field.

  * If not all email-shaped OpenID identifiers are actually working
mailboxes, it's likely to lead to a distressing user experience where
the user is first asked to enter their OpenID identifier -- that is,
their email address -- and then they're asked to enter and verify their
email address. At this point, I expect users to at best say "Stupid
computer! Remember what I've told you!" and at worst get confused and
think that the OpenID identifier they entered was not correct.

  * As has often been raised in both the OpenID-with-email and in the
Jabber circles, many people are reluctant to give up their email
addresses to the public eye for fear of spam. Note that Yahoo.com will,
by default, use a big opaque string as an identifier rather than the
user's Yahoo! account name for this very reason.




*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************

More information about the specs mailing list