[OpenID] OpenID based on email addresses... Just Works!

Chris Messina chris.messina at gmail.com
Sun Nov 2 01:03:44 UTC 2008 

On Fri, Oct 31, 2008 at 3:41 AM, David Fuelling <sappenin at gmail.com> wrote:

> The problem with using the mailto: schemed identifier as the
> "claimed_identifier" is that it is not "commonly resolvable" in the same way
> that a URL is.  It requires a "mapping scheme" (like EAUT) or some other
> translation mechanism (DNS lookup?), which isn't built into common software
> like the web-browser, my blackberry, my iPhone, my Tivo, the space shuttle,
> etc.
>
> Firefox aside, I think it will be an uphill battle to try to get a mailto:
> schemed identifier to be supported on all the various platforms out there.
> We should be sticking to URLs as identifiers, which is why mapping the email
> address to a URL seems like a better plan than using the mailto: scheme as a
> new form of OpenID Identifier.

+1

> I know there are good arguements for/against -- this is a years-old
> debate....but I think it's essentially what we're disagreeing about --
> should the email address be the OpenID, or should it just map to an OpenID.

Because OpenID is a building block technology, I think that what an RP
should receive as the result of an OpenID transaction is a claimed
URL, with other data (like an email addresses) provided via discovery
or other mechanisms like SREG or AX (which is what Google is doing).

This is also why I have strong concerns about XRI in OpenID as
first-class citizens, since, like email, you cannot [currently]
resolve them to anything without going through a centralized service
(in EAUT's case, that service is emailtoid.net, designed, mind you,
for obsolescence).

Circling back on this discussion:

1. email addresses are currently better known to most people, more
people have email addresses that they already use to identify
themselves by, and many people already have accounts that are keyed to
their email address.

2. delegating OpenIDs or changing OPs is certainly an important issue
for account lifecycle management. I think it would be useful to simply
write down a set of use cases that we want to support and then decide
how best to support them. I feel like we're having circular arguments
when, for the most part, we agree on the ends, just not the means.

3. OpenIDs as URLs provide a foundational building block for the web,
enabling services to attach things to commonly understood identifier.
We're not here yet, but this kind of meshed model should, over time,
be a compelling reason to use OpenID.

4. OpenID is succeeding because it works with the web that we have,
not the web that we want. We should keep this in mind when discussing
changes to the protocol, or relying on increasingly abstract aspects
of the web architecture (i.e. DNS).

Chris

-- 
Chris Messina
Citizen-Participant &
  Open Technology Advocate-at-Large
factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is:   [ ] bloggable    [X] ask first   [ ] private

More information about the general mailing list