[OpenID] Relationship of OpenID URLs and e-mail addresses

Recordon, David drecordon at verisign.com
Tue Apr 3 19:07:33 UTC 2007


While I'm not an operator of a large email service, I personally am not
worried about the SPAM discovery "problem".  Email already sucks today,
people already share their addresses all over the web, and quite frankly
IMHO the solution to SPAM is not hiding email addresses, but rather
changing how people filter their email.  Good blog post discussing this
around why Twitter is different
(http://www.zefhemel.com/archives/2007/04/03/pull-messaging).

--David

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Johannes Ernst
Sent: Tuesday, April 03, 2007 10:01 AM
To: openid-general
Subject: [OpenID] Relationship of OpenID URLs and e-mail addresses

Assume you are hosting millions of e-mail addresses for your customers,
like
     <username>@example.com.
Now you decide to also become an OpenID Provider for your customers.

It would be straightforward to automatically create an OpenID for each
of your users, e.g. like
     http://openid.example.com/<username>

Every spammer in the world will realize that this is how the scheme
works, and they will harvest all URLs on the net that start with
http://openid.example.com and spam the heck out of your users. Right?

However, having different <username> components for e-mail and OpenID is
more complex (e.g. how do I explain this to mass-market customers?  
How many users will bother to pick a new handle for their OpenID?)

Does anybody have any ideas how to best solve this conundrum?



Johannes Ernst
NetMesh Inc.





More information about the general mailing list