[OpenID] [LIKELY_SPAM]Re: [LIKELY_SPAM]Re: Combining Google & Yahoo user experience research

George Fletcher gffletch at aol.com
Mon Oct 27 16:30:35 UTC 2008


Martin Atkins wrote:
> George Fletcher wrote:
>> In the discussions I've had, there was one other use case. That is a 
>> site that isn't ready yet to support the full OpenID cross-domain SSO 
>> concept, yet wants to streamline their registration process such that 
>> they don't have to use the out-of-band email verification mechanism.  
>> In this case, a small extension to the OpenID protocol (similar in 
>> concept to AX) could be constructed that would allow a user to verify 
>> their ownership over the email address using a "synchronous" process 
>> vs the current async one.  So, if the RP's only concern is to verify 
>> that the user "owns" the email address they've specified, then the RP 
>> doesn't want the email address mapped to an OpenID, they want to know 
>> that the email address is valid and the user knows the password to it.
>>
>
> Verifying ownership of URLs is what OpenID is fundamentally all about. 
> The SSO thing is really just an application of it.
>
> Once you've got a discovery mechanism for email, you can do OpenID 
> Authentication on email addresses. At that point -- assuming you're 
> willing to trust the domain in question -- you have in-band email 
> address verification.
Yes, this is the expectation. The only difference with this an EAUT is 
that EAUT allows the resulting OpenID to not be owned by the email 
domain provider. In the case of "email verification" this additional 
level of indirection isn't really valuable.
>
> Whether you choose to use this as a mechanism for signing in as well 
> is up to you as an implementer, of course. The nice thing about the 
> above is that since you've already implemented OpenID anyway it's only 
> a small extra step to use it for signing in should you choose to go 
> that route.
This is exactly the argument that's been given in the discussions I've 
been involved with. Get RPs to support this form of "email verification" 
and it will take very little to then "move" them to support OpenID.
>
> I guess the main caveat here is that OPs need to present a suitable 
> user interface in the email case that explains it from the point of 
> view of validating an email address rather than signing in. As usual, 
> the UI at OPs isn't really something OpenID can control, so the 
> success of the above approach will depend on figuring out what the 
> correct UI flow is for this use-case.
>
+1
>

-- 
Chief Architect                   AIM:  gffletch
Identity Services                 Work: george.fletcher at corp.aol.com
AOL LLC                           Home: gffletch at aol.com
Mobile: +1-703-462-3494
Office: +1-703-265-2544           Blog: http://practicalid.blogspot.com




More information about the general mailing list