[OpenID] Email as Identity
Martin Atkins
mart at degeneration.co.uk
Sun Mar 30 17:25:46 UTC 2008
Paul Austin wrote:
> There is obviously a balance between protecting privacy of information
> and making it easy for the average person to remember their login account.
>
> I can definitely see why in some cases you would not want to give your
> email to some websites, although websites may still ask you for your
> email address as is common with a lot of forum and social networking
> type web sites.
>
> The other thing to consider which one of the following would protect
> your privacy better?
>
> me at gmail.com
>
> or
>
> http://openid.gmail.com/me
>
> What this example shows is that if you base a url based id on the email
> user name then someone who knows that pattern already has your email.
>
> Anyway, I'm sure this has been debated to death so I'm going to not
> continue the debate any further and wait and see what comes out in the
> future.
>
I believe Nat was referring to the "directed identity" flow, where you
enter your provider's URL rather than your own.
For example, see Yahoo's provider implementation. They (by default) use
an large, opaque mess as your identifier. Since users would never be
able to remember such a thing, they are instead encouraged to simply log
in as "yahoo.com". The OP can figure out who the user is and return the
appropriate identifier in the response.
Yahoo's intent, as I understand it, was to prevent the trivial mapping
to email address that you describe.
More information about the general
mailing list