[OpenID] OpenID Extension to handle Emails Addresses?

Martin Atkins mart at degeneration.co.uk
Thu Oct 30 17:56:40 UTC 2008

David Fuelling wrote:
>    1. The arguments about using DNS could apply to OpenID in general. 
>       However, OpenID doesn't do anything with DNS.  Why is this?  What
>       were the compelling reasons to not use DNS with OpenID?  Is there
>       an FAQ page somewhere about that?  I have only vague recollections
>       on the topic.

When you have an HTTP-based identifier, I think it makes sense to use 
HTTP to resolve it. So, just as with any other HTTP transaction, you:

  * As the DNS for the server that handles HTTP for the domain. (Which 
the "A" record in the domain has become the de-facto standard for, for 
better or worse. It'd be good if it were a SRV record, but whatever.)

  * You ask the HTTP server what's at the path given in the URL.

  * The response tells you the OpenID discovery information or, in the 
Yadis case, where to find the discovery information.

Now, you could argue (and people have argued) that using the MX record 
to find the mail server and somehow asking the mail server for the 
discovery information would be sensible. However, I would argue that 
this is overloading the concept of "mail exchanger" -- we don't use the 
MX record to discover IMAP or POP3 services either -- and that 
realistically speaking asking people to alter their SMTP server software 
is a complete non-starter.

You could also reasonably argue that my proposal of resolving 
mart at degeneration.co.uk as mart.degeneration.co.uk is a layering 
violation, since the username part does not belong in the DNS. I 
wouldn't mind losing that if someone has an alternative proposal for 
making delegation work. (One such proposal would be to put EAUT endpoint 
information in the DNS, of course. I wouldn't object to that on principle.)

>    2. Do some of the larger email providers have an opinion on the
>       mechanism used for "Discovery" in the email case?  For instance,
>       would Google/Yahoo/etc prefer that DNS be consulted first, or that
>       some HTTP-based discovery be consulted first?  Do they even care?

While obviously I can't speak for these big providers, my assumption in 
all this is that big providers can do whatever they like, whether it be 
altering the root of their website or putting stuff in DNS. Certainly 
the DNS change requirement hasn't stopped Hotmail or GMail supporting SPF.

I would of course be interested to hear from one of the big providers on 
this subject, since as far as I can tell they've been silent on it so far.

>     However, I wouldn't necessarily object to putting the *EAUT*
>     information  in the DNS rather than the OpenID information directly.
>     The two things I care most about at this point are:
>      * DNS must be consulted first, for the reasons I go into in that post.
>      * In the case where an email address is the claimed_identifier, the
>     OpenID request must have openid.identity set to
>     mailto:theemailaddress <mailto:theemailaddress>, not the mapped HTTP
>     identifer. (In other words, this is an extension to OpenID
>     *Discovery*; the rest of the protocol is unchanged.)
> What if the user actually wants their URL to be the claimed identifier?  
> Would you be open to that?

I still haven't quite followed why, in that case, the user wouldn't just 
enter the URL into the OpenID box at the RP. If the user knows what a 
URL is enough to know they want to use it as an identifier, I think they 
can manage to type it in without relying on a layer of indirection to 
achieve that.

More information about the specs mailing list