[OpenID] OpenID Extension to handle Emails Addresses?
mart at degeneration.co.uk
Thu Oct 30 17:56:40 UTC 2008
David Fuelling wrote:
> 1. The arguments about using DNS could apply to OpenID in general.
> However, OpenID doesn't do anything with DNS. Why is this? What
> were the compelling reasons to not use DNS with OpenID? Is there
> an FAQ page somewhere about that? I have only vague recollections
> on the topic.
When you have an HTTP-based identifier, I think it makes sense to use
HTTP to resolve it. So, just as with any other HTTP transaction, you:
* As the DNS for the server that handles HTTP for the domain. (Which
the "A" record in the domain has become the de-facto standard for, for
better or worse. It'd be good if it were a SRV record, but whatever.)
* You ask the HTTP server what's at the path given in the URL.
* The response tells you the OpenID discovery information or, in the
Yadis case, where to find the discovery information.
Now, you could argue (and people have argued) that using the MX record
to find the mail server and somehow asking the mail server for the
discovery information would be sensible. However, I would argue that
this is overloading the concept of "mail exchanger" -- we don't use the
MX record to discover IMAP or POP3 services either -- and that
realistically speaking asking people to alter their SMTP server software
is a complete non-starter.
You could also reasonably argue that my proposal of resolving
mart at degeneration.co.uk as mart.degeneration.co.uk is a layering
violation, since the username part does not belong in the DNS. I
wouldn't mind losing that if someone has an alternative proposal for
making delegation work. (One such proposal would be to put EAUT endpoint
information in the DNS, of course. I wouldn't object to that on principle.)
> 2. Do some of the larger email providers have an opinion on the
> mechanism used for "Discovery" in the email case? For instance,
> would Google/Yahoo/etc prefer that DNS be consulted first, or that
> some HTTP-based discovery be consulted first? Do they even care?
While obviously I can't speak for these big providers, my assumption in
all this is that big providers can do whatever they like, whether it be
altering the root of their website or putting stuff in DNS. Certainly
the DNS change requirement hasn't stopped Hotmail or GMail supporting SPF.
I would of course be interested to hear from one of the big providers on
this subject, since as far as I can tell they've been silent on it so far.
> However, I wouldn't necessarily object to putting the *EAUT*
> information in the DNS rather than the OpenID information directly.
> The two things I care most about at this point are:
> * DNS must be consulted first, for the reasons I go into in that post.
> * In the case where an email address is the claimed_identifier, the
> OpenID request must have openid.identity set to
> mailto:theemailaddress <mailto:theemailaddress>, not the mapped HTTP
> identifer. (In other words, this is an extension to OpenID
> *Discovery*; the rest of the protocol is unchanged.)
> What if the user actually wants their URL to be the claimed identifier?
> Would you be open to that?
I still haven't quite followed why, in that case, the user wouldn't just
enter the URL into the OpenID box at the RP. If the user knows what a
URL is enough to know they want to use it as an identifier, I think they
can manage to type it in without relying on a layer of indirection to
More information about the specs