[OpenID] OpenID based on email addresses... Just Works!

[Martin Atkins]

Chris Messina wrote:
> 
> It seems to me like this is just a matter of popularizing the idea of
> multiple identifier associations per account, just as you do when you
> associate multiple email addresses with an account (say, on Plaxo,
> Dopplr and elsewhere).
> 
> Ma.gnolia currently provides you the ability to associate multiple
> identifiers with your account, allowing you to use any of them to sign
> in.
> 
> Since we're moving to a model of remote authentication, we really do
> need to make sure that, apart from using XRDS to point to multiple OPs
> in the case that one goes down, associating more than one identifier
> per RP is also something that could or will be of value (especially if
> you initially sign up to a service with a "throw-away" OpenID for
> testing).
> 

Manually associating multiple identifiers with your account at your RP 
is the workaround, not the fix.

If we want to say with a straight face that we support migrating between 
identifiers, it needs to be *much* more automatic than this. Being able 
to migrate between identifiers needs to be the default.

With the tech we've got right now I think the best we can accomplish is 
using a service like the Google Social Graph API to discover other 
identifiers that a user has and prompt them to associate those with 
their account as well. (We can't do this automatically, because the data 
returned by SGAPI is not necessarily trustworthy.)

The main issue with that approach is overcoming the "stalkery" nature of 
this by explaining to users where this list came from. I think most 
users today would be pretty freaked out if they put in their LiveJournal 
identifier and it prompted them to add their MySpace account.