[OpenID] [LIKELY_SPAM]Re: [LIKELY_SPAM]Re: Combining Google & Yahoo user experience research
Chris Messina
chris.messina at gmail.com
Thu Oct 23 00:26:48 UTC 2008
On Wed, Oct 22, 2008 at 5:06 PM, Martin Atkins <mart at degeneration.co.uk> wrote:
> Chris Messina wrote:
>>
>> Can we minimize the value of email addresses or facilitate the
>> transfer of verified email addresses so that users spend less time
>> validating email tokens or dredging through their spam inboxes looking
>> for them?
>>
>
> Point 2 is moot in the case where the email address is the OpenID
> identifier, since by the time the OP gets involved the user's already given
> the RP his email address.
An email address should not be an OpenID URL by definition; an email
address can be resolved to a valid OpenID URL identifier, but I don't
think that an email address itself should be a valid OpenID. I'll
elaborate at this in a blog post.
To be pedantic, an RP shouldn't rely on a user-supplied email address
the way the spec is written today since, as I demonstrated, I can
enter someone else's Yahoo OpenID into an RP and return a completely
different one. If an RP assumes that users will ALWAYS supply the
right email address, and that a valid returned OpenID assertion should
confirm that identifier (regardless of what's returned), there's a
serious disconnect here.
OTOH, if I supply user at openid.com on an RP, authenticate at
openid.com, and am returned from my OP with a URL-formatted
claimed_identifier ALONG with user at openid.com provided via SREG and/or
AX, then that's of some interest, although it adds some complexity to
implementation, as the supplied identifier would need to be stored and
then compared against OP-supplied information.
Chris
--
Chris Messina
Citizen-Participant &
Open Technology Advocate-at-Large
factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is: [ ] bloggable [X] ask first [ ] private
More information about the general
mailing list