[OpenID] [LIKELY_SPAM]Re: [LIKELY_SPAM]Re: Combining Google & Yahoo user experience research

[Martin Atkins]

SitG Admin wrote:
>> I guess the main caveat here is that OPs need to present a suitable 
>> user interface in the email case that explains it from the point of 
>> view of validating an email address rather than signing in. As usual, 
>> the UI at OPs isn't really something OpenID can control, so the 
>> success of the above approach will depend on figuring out what the 
>> correct UI flow is for this use-case.
> 
> I receive all my E-mail at a computer under my direct physical control; 
> I don't handle it through a webmail interface. That makes my UI flow 
> essentially offline. I may *download* the E-mail while online, but I can 
> go offline (good for 0-day exploits that immediately try to dial home) 
> before reading it, and copy any "please click here" URL's over to 
> another computer by hand.
> 
> I (and many other users in my situation) would not be thrilled with a UI 
> proposal that required the use of web-mail.
> 

If you do genuinely always go offline to read your email, I'd expect 
that taking the round-trip to your email client to confirm your email 
address -- something that will require you to visit a URL and thus to go 
online again -- would be a benefit to you rather than a hindrance.

If you wanted to use this system at a domain of your own then you would 
need to run, or have someone else run on your behalf, an email 
verification service for your domain. This would require a public HTTP 
server somewhere, but it could be completely separate from your email 
services.

For example. right now I have the email address I sent this message from 
configured to delegate OpenID services to MyOpenID using my own flavour 
of email-based OpenID discovery[1]. I'm not running anything HTTP for 
this and made no changes to my mail server to implement it.

[1] http://www.apparently.me.uk/18285.html