[OpenID] Combining Google & Yahoo user experience research

Wed Oct 15 01:52:13 UTC 2008

>I don't understand your comment. Please elaborate.

Right.

Johannes suggested letting an E-mail address resolve to an XRDS file 
that contained a "home page" entry. I read "resolving" as an 
indicator of DNS, and asked who would be in charge. Currently we have 
this method of yielding information from E-mail addresses: we contact 
the person at the other end! Information gained thereby is under no 
guarantee of being accurate, but at least we know that the user on 
our website trying to authenticate via OpenID is (presumably) going 
to enter an address that only *they* control, and therefore it's 
reasonable to assume that the URI sent to us *from* that address was 
also sent by that user. More importantly, though, a user at that 
address is able to receive a request *and ignore it*, and, most 
importantly of all, will always *see* incoming requests. Even if it's 
just a spammer trying to test if the address is alive, the user will 
then be *aware* that someone was probing their address. This *is* a 
user-centric model.

I described this flow to propose a different direction for the 
solution - automated responses within the mail server, still leaving 
notices within the user's mailbox but *not* requiring the user's 
direct involvement to proceed. Johannes clarified that he had *not* 
meant the SMTP protocol, but did not explain what he *had* meant, so 
I elaborated further, explaining that I saw both of the advantages 
described previously (notification, and user control over whether to 
respond with the requested info or not!) as not being possible in DNS.

That's where you joined in, saying - I'll quote:

>Putting it in DNS doesn't change the user-centricness, it just 
>changes the means of publication.

I disagree here; to use military terminology here (as learned from 
analyses of Trusted Computing) for a moment, your DNS server is not a 
Trusted party for your personal information! IT does not have access 
to your personal information; YOU do. If a spammer (or stalker) wants 
to learn where you live (so they have a physical address for 
snailmail spam or home invasion), they cannot simply ask the DNS 
server where you live, because the DNS server does not possess that 
information - they MUST contact you, the user, directly, and in the 
process of making that request they not only make you (the user) 
aware of it, but provoke the distinct possibility that you will 
simply refuse to tell them!

Your reply also suggested, though, that this level of control *can* 
be present in DNS, which intrigues me :)

-Shade