[OpenID] [LIKELY_SPAM]Re: [LIKELY_SPAM]Re: Combining Google & Yahoo user experience research
Chris Messina
chris.messina at gmail.com
Mon Oct 27 00:00:19 UTC 2008
On Sat, Oct 25, 2008 at 3:03 AM, George Fletcher <gffletch at aol.com> wrote:
> I think there are at least two use cases involving email addresses that
> can be easily confused...
>
> 1. Use the email address as an indicator or pointer to a valid OpenID as
> the email address is an identifier that the user currently remembers.
> - this is the use case that EAUT is targeting and, if I understood
> correctly, what Chris is discussing as well
Yes. The point is, until MySpace users become familiar with using
their "MySpace OpenID" or "OpenID" (depending on how we recommend
MySpace market this behavior), we have ample reason to make it
possible for people to use identifiers with which they're already
familiar and use in common practice to sign in to web services:
namely, email addresses.
It also would provide a means to "upgrade" legacy accounts keyed to
email addresses to use remote authentication via OpenID... reducing
the need to remember discreet passwords (or sharing a unique password
between sites).
Although there will be increasing numbers of URL-formatted/based
identifiers out there for people to use for OpenID authentication, it
seems that a great way to simplify OpenID's offering and to make it
more palatable to those who argue that they identify themselves by an
email address is indeed to figure out the best way to enable that
possibility, and to disarm that argument.
> 2. Verify an email address for those RP's that want/need/require a
> "verified email address"
> - this is more about the RP getting a verified identity attribute
> - the expectation is that an OpenID based flow would allow a user who
> has to verify their email address to do it in "real time" rather than
> the async email method used today
A common complaint that I hear from people using OpenID to sign up for
new services comes down to an "OpenID tax": once they've successfully
authenticated with OpenID (which definitely isn't quite as fool proof
as I would hope), they're immediately asked to provide an email
address and then to validate it, receiving an out-of-band token. The
feedback I hear is that most people would rather just sign up with
their email address in the first place than have to deal with this
silly process.
This will continue to be a valid criticism unless or until we are able
to make URL-based verified identifiers more useful than email
addresses to RPs.
> I believe we need to keep these two use cases separate because the
> intentions/outcome is really quite different.
For clarify of conversation, +1.
Though solving both issues with one protocol/approach would be ultimately ideal.
Chris
>
> SitG Admin wrote:
>>> I'd guess that a contributing factor here is that most OPs don't support
>>> passing the email address via SREG.
>>>
>>
>> Since the discussion here seems to be about not only verifying E-mail
>> addresses, but using them in place of a URI, does it matter whether a
>> RP supports *receiving* an E-mail address via SREG?
>>
>> I don't want users' E-mail. I don't *need* users' E-mail. I don't
>> care. Is the requirement (that a user be able to receive E-mail at
>> their address) going to require me to be able to send them E-mail so
>> I can confirm their OpenID?
>>
>> -Shade
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
--
Chris Messina
Citizen-Participant &
Open Technology Advocate-at-Large
factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is: [ ] bloggable [X] ask first [ ] private
More information about the general
mailing list