[OpenID] Combining Google & Yahoo user experience research

Chris Messina chris.messina at gmail.com
Tue Oct 14 05:26:55 UTC 2008 

Hi Nate,
It's unclear what you're proposing or suggesting...! Still, I have some
feedback...

On Mon, Oct 13, 2008 at 8:05 PM, Nate Klingenstein <ndk at internet2.edu>wrote:


> ...the suggested approaches that you describe aren't sufficient to meet
> key discovery needs in most academic communities.  These are four
> primary reasons why:
>
> 2)  The user's IdP is not necessarily associated with their email
> provider.  Specifically, some new students don't care to use a
> university-issued email account, while many services most interested
> in federated identity need authoritative data from the university,
> e.g. studenthood.  We've worked hard to allow for the distinction
> between email and identity, and we'd like to preserve it, because it
> gives our users personal choice while we still manage key education-
> oriented information.
> 3)  We're required legally and ethically, particularly in the EU, to
> protect the user's identity whenever possible.  Asking the user to
> enter a primary identifier like email address for discovery makes
> protection of privacy impossible in some ways.
>

Nothing about including email identifiers as valid OpenID identifiers
requires you that you use email as your primary identifier. It simply
enables the use of email addresses for signing in to services. So many sites
(in the wild) now immediately ask you for your email address after you sign
up with OpenID that it seems counter-productive NOT to support email
addresses... especially since they often require you to confirm your email
address via token (which, if it were part of the OpenID spec, could be done
entirely within the browser).

It's also conceivable that someone could delegate an email address to a
third-party OpenID provider, rather than their email provider... so if were
to use chris at example.com as my email address, example.com would be able to
redirect (302) to my actual OpenID URL: realopenid.com/chris.

This is what the EAUT protocol specifies:

http://eaut.org

Of course you can also just use identifier select and provide your typical
OpenID URL (realopenid.com) and never reveal your email address, but that's
no different from what we have today, except for the usability hurdle of
learning URLs for self-identification.

I think you bring up some useful experiences in the wild, and I'm just
trying to focus your feedback... can you be specific about what of the
research is good and useful and what of it would not work given your
restrictions?

Chris

-- 
Chris Messina
Citizen-Participant &
 Open Technology Advocate-at-Large
factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is:   [ ] bloggable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081013/cdaf4ac1/attachment-0002.htm>

More information about the general mailing list