[OpenID] [LIKELY_SPAM]Re: [LIKELY_SPAM]Re: Combining Google & Yahoo user experience research
SitG Admin
sysadmin at shadowsinthegarden.com
Tue Oct 28 22:48:36 UTC 2008
>I assume therefore that when a website wants to validate your email
>address as per current practice you manually type the URL in the
>validation email into your web browser on the other computer?
So far they've also offered the option of replying to their
validation message, but, where they don't, I;
a) type it in as described ;)
b) burn it onto a rewritable CD to transfer
c) fire up Telnet and see if all I need to do is make the request
>What I'm trying to achieve is to simply ask the provider "does this
>user own this email address?" rather than sending an email and
>having a user click a link. It sounds to me like this would be
>especially useful to you since the computer that handles your email
>would be taken out of the picture completely and you'd just do a
>normal OpenID "redirect dance" in your browser.
I'm in favor of having authentication that doesn't risk exposing the
password to my main E-mail service, but how can an alternative work
without at least *talking to* my main E-mail server? I can't pinpoint
it, but I think my concern centers around the area of an altered DNS
entry for my main E-mail server throwing up red flags if altered,
while the presence or lack of an alternative entry such as you are
proposing might not be watched (or, if changed, noticed) by all IDS
systems. What kind of services will accept this secondary (indirect)
"E-mail" authentication method? What is the level of risk to
providers that, having never even *heard* of OpenID, must safeguard
this additional entry type in their DNS?
-Shade
More information about the general
mailing list