[OpenID] Relationship of OpenID URLs and e-mail addresses

Johannes Ernst jernst+openid.net at netmesh.us
Wed Apr 4 17:11:34 UTC 2007 

David,

thanks for your extensive reply. Just a few comments:

> This is a tricky problem.

Guess why I asked ;-)

> Some Alternatives:
>
> ##Alternative 1a##
> Force users to pick a new "openid" username that is different from  
> their
> email username...

> ## Alternative 2##
> Referencing [1] below, the email address to OpenId URL mapping  
> could return
> a different mapping URI template for each email address entered.   
> Using this
> technique, when a user is assigned an OpenId URL, random text could  
> be added
> into the URL to obfuscate the <username> portion.

I hadn't thought of that one. It appears that it would solve the  
provisioning problem (the user doesn't have to do anything), but it  
still has downside of the user needing to remember both.

> ## Alternative 3##
> Assuming the point of your question is really, "how can this big email
> provider allow its users to use their email addresses as OpenId's  
> at login",
> then example.com may only want to "support" openids, but perhaps not
> *provide* them.  For example, 'sappenin at example.com' might map to
> 'sappenin.myopenid.com', or some other OP provider that the user  
> chooses to
> use.  This would preserve the privacy of the email address, since  
> the email
> address could map to any OP provider.

That's an idea, but in this particular case, it doesn't really apply  
because the "big e-mail provider" also does want to be a big openid  
provider.

> (Not meaning to pick on AOL, just using them as an example).

Am I correct that AIM handles do not directly translate into e-mail  
addresses, and thus AOL doesn't actually have this particular version  
of the problem even if they map AIM handles into their OpenID URLs?

>> -----Original Message-----
>> From: general-bounces at openid.net [mailto:general- 
>> bounces at openid.net] On
>> Behalf Of Johannes Ernst
>> Sent: Tuesday, April 03, 2007 11:01 AM
>> To: openid-general
>> Subject: [OpenID] Relationship of OpenID URLs and e-mail addresses
>>
>> Assume you are hosting millions of e-mail addresses for your
>> customers, like
>>      <username>@example.com.
>> Now you decide to also become an OpenID Provider for your customers.
>>
>> It would be straightforward to automatically create an OpenID for
>> each of your users, e.g. like
>>      http://openid.example.com/<username>
>>
>> Every spammer in the world will realize that this is how the scheme
>> works, and they will harvest all URLs on the net that start with
>> http://openid.example.com and spam the heck out of your users. Right?
>>
>> However, having different <username> components for e-mail and OpenID
>> is more complex (e.g. how do I explain this to mass-market customers?
>> How many users will bother to pick a new handle for their OpenID?)
>>
>> Does anybody have any ideas how to best solve this conundrum?
>>
>>
>>
>> Johannes Ernst
>> NetMesh Inc.
>>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list