No subject

Fri Aug 15 23:49:43 UTC 2008

the user to enter an OpenID rather than changing how it works.. I mean
surely entering weblivz at hotmail.com can easily map to an OpenID
weblivz.hotmail.com

From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Andrew Arnott
Sent: 30 October 2008 12:37
To: Ben Laurie
Cc: david at sixapart.com; OpenID List
Subject: Re: [OpenID] OpenID based on email addresses... Just Works!

I'm surprised no one has brought this up, but remember that having people
log into RPs using their email address is giving away a very personal bit of
information that I'd like to hide more than give away.  On another thread
concern was expressed over allowing OpenID to accidentally reveal the
preferred language of a user.  Well to me I think email address is far more
concerning.  

Of course an RP may want an email address and AX or SREG is a great way to
get it, but that's always the user's decision while at the OP or later at
the RP, and isn't a mandatory step to even initiate the login process.

On Thu, Oct 30, 2008 at 3:00 AM, Ben Laurie <benl at google.com> wrote:

On Thu, Oct 30, 2008 at 7:07 AM, Chris Messina <chris.messina at gmail.com>
wrote:
> On Thu, Oct 30, 2008 at 4:14 PM, David Recordon <drecordon at sixapart.com>
wrote:
>> Can you use POBox.com with david at yahoo.com?  For the added complexity I
just
>> don't think it's worth it considering you already can't delegate your
email.
>>  If you control the domain then you can choose your Provider, otherwise
>> you're at the mercy of who controls the domain.  Don't like it, then
don't
>> use your Yahoo account as your OpenID.  IMHO.
>> --David
>
> I'm coming around to this perspective.
>
> While maximal flexibility would be ideal for "delegating email
> addresses", I'm willing to compromise to find the simplest, easiest,
> quickest and least costliest path to adoption.
>
> While the mapping concept is a worthwhile one technologically, I think
> that trying to push all the freedoms that you get with URL-based
> OpenIDs into email addresses could be a losing proposition.
>
> If we can support email addresses with maximal flexibility with
> minimal costs, great, but from what I've seen of how changes actually
> get made, changing the OpenID spec as little as possible is the best
> way forward.
>
> It sounds like the OpenID.identity approach might be the best way to
> make this happen, pronto, without mucking with DNS and so on.

What is "the OpenID.identity approach"?

> Remember, email addresses today aren't really explicitly supported by
> the spec; the goal should be to make that a possibility with as little
> effort as possible.

It seems to me that there's a couple of things to consider:

1. Often the RP actually wants an email address, because it wants to
be able to communicate with the user. This can be solved with AX, of
course _but_ I suspect users will be confused by having to give an
"email address" that isn't actually their email address.

2. It seems that its possible to do a pretty good job with just the
domain - the email address is just a way to get the user to tell you
what the domain is so discovery can start.

Obviously discovery is a prerequisite, though.

>
> Chris
>
> --
> Chris Messina
> Citizen-Participant &
>  Open Technology Advocate-at-Large
> factoryjoe.com # diso-project.org
> citizenagency.com # vidoop.com
> This email is:   [ ] bloggable    [X] ask first   [ ] private
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

------=_NextPart_000_025A_01C93A8E.EC367A10
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page Section1
	{size:612.0pt 792.0pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I also find it odd as I&#8217;d quite like to have a =
durable
identifier, but not only do I have multiple emails, I tend to change =
emails
relatively often and I&#8217;m happy to share it using AX/SREG if/when I =
wish.<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Be interested in how an OpenID using my email as a =
primary identifier
would work if I wanted to change it.<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I do like an email account being used to discover an =
OpenID
right enough, if every email mapped to an openid &#8211; <a
href=3D"mailto:user at domain.com">user at domain.com</a> -&gt; =
user.domain.com or
domain.com/user &#8211; from what I can see it doesn&#8217;t even need =
to be a
real email address&#8230; so long as the mapping can be =
done.<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

From what I have read you&#8217;re really just talking =
about
making it easier for the user to enter an OpenID rather than changing =
how it
works&#8230;. I mean surely entering weblivz at hotmail.com can easily map =
to an
OpenID weblivz.hotmail.com<o:p></o:p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
0cm 0cm 0cm'>

From:=

general-bounces at openid.net [mailto:general-bounces at openid.net] On =
Behalf Of Andrew
Arnott 
Sent: 30 October 2008 12:37 
To: Ben Laurie 
Cc: david at sixapart.com; OpenID List 
Subject: Re: [OpenID] OpenID based on email addresses... Just =
Works!<o:p></o:p>

</div>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

I'm surprised no one has brought this up, but =
remember that
having people log into RPs using their email address is giving away a =
very
personal bit of information that I'd like to hide more than give away. =
&nbsp;On
another thread concern was expressed over allowing OpenID to =
accidentally
reveal the preferred language of a user. &nbsp;Well to me I think email =
address
is far more concerning. &nbsp;<o:p></o:p>

<div>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'>Of course an RP may =
want an
email address and AX or SREG is a great way to get it, but that's always =
the
user's decision while at the OP or later at the RP, and isn't a =
mandatory step
to even initiate the login process.<o:p></o:p></p>

<div>

<p class=3DMsoNormal>On Thu, Oct 30, 2008 at 3:00 AM, Ben Laurie &lt;<a
href=3D"mailto:benl at google.com">benl at google.com</a>&gt; =
wrote:<o:p></o:p></p>

<div>

On Thu, Oct 30, 2008 =
at 7:07
AM, Chris Messina &lt;<a =
href=3D"mailto:chris.messina at gmail.com">chris.messina at gmail.com</a>&gt;
wrote: 
&gt; On Thu, Oct 30, 2008 at 4:14 PM, David Recordon &lt;<a
href=3D"mailto:drecordon at sixapart.com">drecordon at sixapart.com</a>&gt; =
wrote: 
&gt;&gt; Can you use POBox.com with <a =
href=3D"mailto:david at yahoo.com">david at yahoo.com</a>?
&nbsp;For the added complexity I just 
&gt;&gt; don't think it's worth it considering you already can't =
delegate your
email. 
&gt;&gt; &nbsp;If you control the domain then you can choose your =
Provider,
otherwise 
&gt;&gt; you're at the mercy of who controls the domain. &nbsp;Don't =
like it,
then don't 
&gt;&gt; use your Yahoo account as your OpenID. &nbsp;IMHO. 
&gt;&gt; --David 
&gt; 
&gt; I'm coming around to this perspective. 
&gt; 
&gt; While maximal flexibility would be ideal for &quot;delegating =
email 
&gt; addresses&quot;, I'm willing to compromise to find the simplest, =
easiest, 
&gt; quickest and least costliest path to adoption. 
&gt; 
&gt; While the mapping concept is a worthwhile one technologically, I =
think 
&gt; that trying to push all the freedoms that you get with =
URL-based 
&gt; OpenIDs into email addresses could be a losing proposition. 
&gt; 
&gt; If we can support email addresses with maximal flexibility with 
&gt; minimal costs, great, but from what I've seen of how changes =
actually 
&gt; get made, changing the OpenID spec as little as possible is the =
best 
&gt; way forward. 
&gt; 
&gt; It sounds like the OpenID.identity approach might be the best way =
to 
&gt; make this happen, pronto, without mucking with DNS and so =
on.<o:p></o:p>

</div>

<p class=3DMsoNormal>What is &quot;the OpenID.identity =
approach&quot;?<o:p></o:p></p>

<div>

<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><br>
&gt; Remember, email addresses today aren't really explicitly supported =
by<br>
&gt; the spec; the goal should be to make that a possibility with as =
little<br>
&gt; effort as possible.<o:p></o:p></p>

</div>

It seems to me that there's a couple of things to =
consider: 
 
1. Often the RP actually wants an email address, because it wants to 
be able to communicate with the user. This can be solved with AX, of 
course _but_ I suspect users will be confused by having to give an 
&quot;email address&quot; that isn't actually their email address. 
 
2. It seems that its possible to do a pretty good job with just the 
domain - the email address is just a way to get the user to tell you 
what the domain is so discovery can start. 
 
Obviously discovery is a prerequisite, though.<o:p></o:p>

<div>

<div>

<p class=3DMsoNormal><br>
&gt;<br>
&gt; Chris<br>
&gt;<br>
&gt; --<br>
&gt; Chris Messina<br>
&gt; Citizen-Participant &amp;<br>
&gt; &nbsp;Open Technology Advocate-at-Large<br>
&gt; <a href=3D"http://factoryjoe.com" =
target=3D"_blank">factoryjoe.com</a> # <a
href=3D"http://diso-project.org" =
target=3D"_blank">diso-project.org</a><br>
&gt; <a href=3D"http://citizenagency.com" =
target=3D"_blank">citizenagency.com</a> #
<a href=3D"http://vidoop.com" target=3D"_blank">vidoop.com</a><br>
&gt; This email is: &nbsp; [ ] bloggable &nbsp; &nbsp;[X] ask first =
&nbsp; [ ]
private<br>
&gt; _______________________________________________<br>
&gt; general mailing list<br>
&gt; <a href=3D"mailto:general at openid.net">general at openid.net</a><br>
&gt; <a href=3D"http://openid.net/mailman/listinfo/general" =
target=3D"_blank">http://openid.net/mailman/listinfo/general</a><br>
&gt;<br>
_______________________________________________<br>
general mailing list<br>
<a href=3D"mailto:general at openid.net">general at openid.net</a><br>
<a href=3D"http://openid.net/mailman/listinfo/general" =
target=3D"_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:=
p></p>

</div>

</div>

</div>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

</div>

</div>

</body>

</html>

------=_NextPart_000_025A_01C93A8E.EC367A10--