[OpenID] Combining Google & Yahoo user experience research
Allen Tom
atom at yahoo-inc.com
Wed Oct 22 02:28:15 UTC 2008
Martin Atkins wrote:
> I think it'd be pretty confusing and non-obvious if I typed in
> something at example.com but, because of an existing session, I actually
> ended up claiming somethingelse at example.com. This could arise for a
> number of reasons, including but not limited to a given person having
> several email accounts or several users sharing the same computer who
> have not yet discovered the wonders of separate local user accounts.
>
> We should never ignore any part of what the user enters. If they just
> enter their OP's domain, then the above is fine.
>
+1
If the purpose is to verify a user's email address, then the user should
have typed in the correct email address to be verified, and the email
returned in the assertion should match the email address in the request.
Thanks,
Allen
More information about the general
mailing list