[OpenID] Relationship of OpenID URLs and e-mail addresses

frumioj at mac.com frumioj at mac.com
Tue Apr 3 21:04:36 UTC 2007 

Hi David,

Recordon, David wrote:
> While I'm not an operator of a large email service, I personally am not
> worried about the SPAM discovery "problem".

You're really not worried that some ISP won't make a canonical mapping
from the email addresses of their users to OpenID URLs, and then hand
those OpenIDs out to their users? Doesn't that mean that someone might
say, for example, "OpenID contributes to the spam problem"?

>  Email already sucks today,
> people already share their addresses all over the web, and quite frankly
> IMHO the solution to SPAM is not hiding email addresses, but rather
> changing how people filter their email.  Good blog post discussing this
> around why Twitter is different
> (http://www.zefhemel.com/archives/2007/04/03/pull-messaging).

Sure, new solutions to messaging will one day become as widespread as
email is today. That doesn't say anything about the mapping of email
addresses using existing technology, employed by millions, to OpenID URLs.

Is it really such a bad idea (or simply unnecessary) to provide some
guidelines or best practices around what OpenID Providers should or
should not do in creating OpenID URLs for their users? This doesn't
prevent someone doing silly things, but it at least shows that the
community has /some/ interest in helping prevent abuse.

- John

> 
> --David
> 
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Johannes Ernst
> Sent: Tuesday, April 03, 2007 10:01 AM
> To: openid-general
> Subject: [OpenID] Relationship of OpenID URLs and e-mail addresses
> 
> Assume you are hosting millions of e-mail addresses for your customers,
> like
>      <username>@example.com.
> Now you decide to also become an OpenID Provider for your customers.
> 
> It would be straightforward to automatically create an OpenID for each
> of your users, e.g. like
>      http://openid.example.com/<username>
> 
> Every spammer in the world will realize that this is how the scheme
> works, and they will harvest all URLs on the net that start with
> http://openid.example.com and spam the heck out of your users. Right?
> 
> However, having different <username> components for e-mail and OpenID is
> more complex (e.g. how do I explain this to mass-market customers?  
> How many users will bother to pick a new handle for their OpenID?)
> 
> Does anybody have any ideas how to best solve this conundrum?
> 
> 
> 
> Johannes Ernst
> NetMesh Inc.
> 
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list