[OpenID] [LIKELY_SPAM]Re: [LIKELY_SPAM]Re: Combining Google & Yahoo user experience research

Chris Messina chris.messina at gmail.com
Wed Oct 22 22:55:04 UTC 2008


On Wed, Oct 22, 2008 at 3:44 PM, Martin Atkins <mart at degeneration.co.uk> wrote:
> Chris Messina wrote:
>>
>> The RP should treat an email address according to the identifier select
>> model, and only consider the domain.
>>
>
> Respectfully disagree.
>
> I'd be really confused/annoyed if I typed in one email address and ended up
> actually authenticating as another.
>
> There are already two ways to use alternate personas:
>  * Just enter the domain and choose an identifier at your OP.
>  * Explicitly enter the identifier for the persona you wish to use.
>
> We do not need a third:
>  * Enter an identifier for anyone who uses the same service as you use, then
> choose a sensible identifier at your OP.

This is the way that Yahoo does things today.

Try signing in to Pibb.com using http://me.yahoo.com/georgebush

If you're already signed in to your Yahoo account, you'll pick an
existing identifier and proceed, and Pibb won't have any idea who
http://me.yahoo.com/georgebush is.

If I decide to enter georgebush at yahoo.com into an RP and I'm signed in
as someone else on Yahoo.com, I'll be returned as the currently signed
in user, regardless of who owns georgebush at yahoo.com.

As has been suggested, a link on the OP should be provided that says
"Not georgebush at yahoo.com? Sign in again." -- the way that just about
everyone handles this today.

If the complete email address is to be considered verified after the
flow I just described, I think the protocol is broken.

Chris

-- 
Chris Messina
Citizen-Participant &
  Open Technology Advocate-at-Large
factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is:   [ ] bloggable    [X] ask first   [ ] private



More information about the general mailing list